I've been trying to restrict Publish
/ Receive
permissions to a IoT topics to a user's Cognito ID.
In my application, I'm creating topics that look something like messenger/{cognitoUserId}
(eg messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb
).
So in my IAM Policy I'd like to specify that only users whose Cognito ID is contained in the topic have Publish
/ Receive
permissions for that topic.
This is what my IAM Policy currently look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iot:Connect",
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Effect": "Deny",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
"Condition": {"StringNotLike": {"iot:topicfilter": [
"messenger/${cognito-identity.amazonaws.com:sub}"
]}}
}
]
}
Any help would be greatly appreciated. I've already spent 2 full days of digging into AWS docs, blog posts, and what not. This seems to me like such a normal, regular use case for AWS IoT topics, and yet so hard to get right.
There are 2 cases when using cognito with AWSIoT:
Note: If you don't specify any IoT policy, everything is considered deny which seems to be the case if you are using authenticated pool cognito identities.
Details of this are present at: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html
Another Similar thread you might be interested in https://stackoverflow.com/a/47838529/962545
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.