使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

How do you set your policy to allow a device to subscribe to jobs?

0

I got my policy working for my primary app logic. It can now connect, subscribe and receive ONLY via its unique, verified ThingName. It is not allowed to publish anything.

But I'd also like to run the jobs-agent.js script from the sdk examples so I can reboot and perform other tasks. These used to work for me, but don't anymore and I have verified that it's because the jobs-agent can't subscribe to the appropriate topics. (It works again when I change the policy to "*".)

Reading the jobs-agent.js file, I see jobs are in the form "$aws/things/{thingName}/jobs/#" but nothing in the policy documentation shows how to handle this form.

How do you write a policy to allow for a device to subscribe to topics of the form $aws/things/{thingName}/jobs/#?

主题
物联网 (IoT)
标签
AWS IoT Core
语言
English
Cyrus
已提问 5 年前194 查看次数
1 回答
0

Nailed it. This policy grants access to my application logic (ThingName/) and the jobs in the form that aws-iot-device-sdk-js/examples/jobs-agent.js wants them ($aws/things/ThingName/jobs/).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:client/${iot:Connection.Thing.ThingName}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:topicfilter/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-east-1:MYACCOUNTID:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:topic/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-east-1:MYACCOUNTID:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    }
  ]
}
Cyrus
已回答 5 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容