[英]AWS IoT - Restrict topic to user's Cognito ID
I've been trying to restrict Publish
/ Receive
permissions to a IoT topics to a user's Cognito ID. 我一直在尝试将对IoT主题的Publish
/ Receive
权限限制为用户的Cognito ID。
In my application, I'm creating topics that look something like messenger/{cognitoUserId}
(eg messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb
). 在我的应用程序中,我正在创建看起来像messenger/{cognitoUserId}
(例如messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb
)。
So in my IAM Policy I'd like to specify that only users whose Cognito ID is contained in the topic have Publish
/ Receive
permissions for that topic. 因此,在我的IAM策略中,我想指定仅主题中包含Cognito ID的用户对该主题具有“ Publish
/ Receive
权限。
This is what my IAM Policy currently look like: 这是我的IAM政策当前的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iot:Connect",
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Effect": "Deny",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
"Condition": {"StringNotLike": {"iot:topicfilter": [
"messenger/${cognito-identity.amazonaws.com:sub}"
]}}
}
]
}
Any help would be greatly appreciated. 任何帮助将不胜感激。 I've already spent 2 full days of digging into AWS docs, blog posts, and what not. 我已经花了整整两天的时间来研究AWS文档,博客文章以及其他内容。 This seems to me like such a normal, regular use case for AWS IoT topics, and yet so hard to get right. 在我看来,这似乎是AWS IoT主题的这种正常的常规用例,但是很难做到。
There are 2 cases when using cognito with AWSIoT: 将cognito与AWSIoT结合使用时有两种情况:
Note: If you don't specify any IoT policy, everything is considered deny which seems to be the case if you are using authenticated pool cognito identities. 注意:如果您未指定任何IoT策略,则一切都被视为拒绝,如果您使用的是经过身份验证的池认知身份,则似乎是这种情况。
Details of this are present at: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html 有关详细信息,请访问: https ://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon。 com / iot / latest / developerguide / authorization.html
Another Similar thread you might be interested in https://stackoverflow.com/a/47838529/962545 您可能会对https://stackoverflow.com/a/47838529/962545感兴趣的另一个类似线程
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.