AWS IoT-将主题限制为用户的Cognito ID
[英]AWS IoT - Restrict topic to user's Cognito ID
问题描述
I've been trying to restrict Publish / Receive permissions to a IoT topics to a user's Cognito ID. 
我一直在尝试将对IoT主题的Publish / Receive权限限制为用户的Cognito ID。
In my application, I'm creating topics that look something like messenger/{cognitoUserId} (eg messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb ). 在我的应用程序中,我正在创建看起来像messenger/{cognitoUserId} (例如messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb )。
So in my IAM Policy I'd like to specify that only users whose Cognito ID is contained in the topic have Publish / Receive permissions for that topic. 因此,在我的IAM策略中,我想指定仅主题中包含Cognito ID的用户对该主题具有“ Publish / Receive权限。
This is what my IAM Policy currently look like: 这是我的IAM政策当前的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iot:Connect",
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Effect": "Deny",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
"Condition": {"StringNotLike": {"iot:topicfilter": [
"messenger/${cognito-identity.amazonaws.com:sub}"
]}}
}
]
}
Any help would be greatly appreciated. 任何帮助将不胜感激。 I've already spent 2 full days of digging into AWS docs, blog posts, and what not. 我已经花了整整两天的时间来研究AWS文档,博客文章以及其他内容。 This seems to me like such a normal, regular use case for AWS IoT topics, and yet so hard to get right. 在我看来,这似乎是AWS IoT主题的这种正常的常规用例,但是很难做到。
1 个解决方案
解决方案1
0 2018-01-15 05:30:18
There are 2 cases when using cognito with AWSIoT: 将cognito与AWSIoT结合使用时有两种情况:
- Cognito Authenticated Pool: In this case, you can define a policy at pool level which is less restrictive. Cognito身份验证池:在这种情况下,您可以在池级别定义限制较少的策略。 Now, you need to attach a policy to every cognito user(IoT's AttachPolicy call) to give specific permissions to the cognito user. 现在,您需要将策略附加到每个认知用户(IoT的AttachPolicy调用),以向认知用户授予特定权限。
Note: If you don't specify any IoT policy, everything is considered deny which seems to be the case if you are using authenticated pool cognito identities. 注意:如果您未指定任何IoT策略,则一切都被视为拒绝,如果您使用的是经过身份验证的池认知身份,则似乎是这种情况。
- Cognito Unauthenticated Pool: In this case, IoT does not do any scopedown(IoT's AttachPolicy call in not required) and policy at the pool level will determine what user can do with IoT resources. Cognito未经身份验证的池:在这种情况下,IoT不会进行任何范围缩小(不需要IoT的AttachPolicy调用),并且池级别的策略将确定用户可以使用IoT资源做什么。
Details of this are present at: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html 有关详细信息,请访问: https ://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon。 com / iot / latest / developerguide / authorization.html
Another Similar thread you might be interested in https://stackoverflow.com/a/47838529/962545 您可能会对https://stackoverflow.com/a/47838529/962545感兴趣的另一个类似线程
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.