使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Policy Thing Problem

0

Dear all, I am facing an issue with the thing policies, I need to have a restriction in the publish and subscribe resources such that the thing name must be included and to have the resources of the action IoT:Connect to be a , the problem is that if I use the policy version 2 s mentioned nothing would be published unless the client_ID that I am using matches the Thing name which is not my intentions, I need to have a a flexible client_ID not restricted to thing name while restricting the topics to publish and subscribe from them to the thing name since I am interested in having two codes or two clients that publish on to the same topic and can read data from each other. If i leave everything without restriction as policy3 it works but I need to have certain restrictions how can I solve this issue: Policy Version 1: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-central-1:624671744366:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" ] } ] } Policy Version 2: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" } ] } Policy Version 3: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "*" } ] }

主題
物聯網 (IoT)
標籤
AWS IoT Core
語言
English
Mohamed Smaili
已提問 1 個月前檢視次數 103 次
2 個答案
1

Please Check once below policy,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iot:Connect",
            "Resource": ""
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Receive"
            ],
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/"
        },
        {
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/"
        }
    ],
    "Condition": {
        "StringEquals": {
            "iot:ClientId": "${iot:Connection.Thing.ThingName}"
        }
    }
}
Thanniru Anil Kumar
已回答 1 個月前
0

Hi. Please see here in regards to the thing name policy variable: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

The thing name is obtained from the client ID in the MQTT Connect message sent when a thing connects to AWS IoT Core.

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name.

So it's currently not possible to use that policy variable and "have a flexible client_ID not restricted to thing name".

profile pictureAWS
專家
Greg_B
已回答 1 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容