使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Policy Thing Problem

0

Dear all, I am facing an issue with the thing policies, I need to have a restriction in the publish and subscribe resources such that the thing name must be included and to have the resources of the action IoT:Connect to be a , the problem is that if I use the policy version 2 s mentioned nothing would be published unless the client_ID that I am using matches the Thing name which is not my intentions, I need to have a a flexible client_ID not restricted to thing name while restricting the topics to publish and subscribe from them to the thing name since I am interested in having two codes or two clients that publish on to the same topic and can read data from each other. If i leave everything without restriction as policy3 it works but I need to have certain restrictions how can I solve this issue: Policy Version 1: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-central-1:624671744366:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" ] } ] } Policy Version 2: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" } ] } Policy Version 3: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "*" } ] }

主题
物联网 (IoT)
标签
AWS IoT Core
语言
English
Mohamed Smaili
已提问 1 个月前103 查看次数
2 回答
1

Please Check once below policy,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iot:Connect",
            "Resource": ""
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Receive"
            ],
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/"
        },
        {
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/"
        }
    ],
    "Condition": {
        "StringEquals": {
            "iot:ClientId": "${iot:Connection.Thing.ThingName}"
        }
    }
}
Thanniru Anil Kumar
已回答 1 个月前
0

Hi. Please see here in regards to the thing name policy variable: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

The thing name is obtained from the client ID in the MQTT Connect message sent when a thing connects to AWS IoT Core.

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name.

So it's currently not possible to use that policy variable and "have a flexible client_ID not restricted to thing name".

profile pictureAWS
专家
Greg_B
已回答 1 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容