I have an IoT core policy on a certificate where I'm trying to allow subscribe access to all topics under the 'thing-name", but I continuously get errors on the greengrass client about subscribing to these nodes UNLESS i open up the Resource to "*".
I can't see what is wrong with the policy I have below
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/#",
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/#",
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/tunnels/#",
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/abc/${iot:Connection.Thing.ThingName}/#"
]
},
On the device
023-11-02T05:02:50.314Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/shadow/name/AWSManagedGreengrassV2Deployment/update/accepted, reasonCode=135}
2023-11-02T05:02:50.354Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/jobs/$next/namespace-aws-gg-deployment/get/rejected, reasonCode=135}
2023-11-02T05:02:50.393Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/shadow/name/AWSManagedGreengrassV2Deployment/update/rejected, reasonCode=135}
2023-11-02T05:02:50.434Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/jobs/notify-namespace-aws-gg-deployment, reasonCode=135}
2023-11-02T05:02:50.474Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/shadow/name/AWSManagedGreengrassV2Deployment/get/accepted, reasonCode=135}
2023-11-02T05:03:04.189Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/tunnels/notify, reasonCode=135}
2023-11-02T05:03:13.936Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=abc/12345678/v1/video/#, reasonCode=135}
2023-11-02T05:05:12.183Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/tunnels/notify, reasonCode=135}
AWS OFFICIALUpdated 5 months ago
Hi Greg_B - No, this is just anonymised, but it's an exact match for the Thing name in the IoT core registry. What I found was that if I put a '*' in place of the '#' that the permissions worked - but this seems to contravene the AWS documentation I can find. I'm still confused as to what is the correct policy specification.
Oh I see. I thought you meant replacing the policy variable with '*'. The problem is that '#' is not a valid wildcard character in an IoT policy: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cert
To add to Greg's answer, wildcards differ based if used in an IoT (or IAM) policy vs within the MQTT protocol.
#and+are literal interpretations in IoT policies, while*will be a greedy wildcard. To limit access, check out the available variables. If your certificate is attached to athingName, that variable can be used, or you could use X.509 subject attributes too such ascn/o/ou.Thanks for that I must have been reading this wrong