[英]AWS IOT policy document
我有一个应用程序,其中每个客户端都有自己的事物,对于我正在创建证书并将其附加到事物的每件事,我还将以下策略附加到证书。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
我想要做的是限制客户端访问其他客户端的事物,并且每个客户端都可以完全访问其事物主题。
上述策略不起作用,客户端根本无法连接。 然而,以下是有效的(就功能而言),但客户端能够发布到所有主题。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
此外,以下连接成功但无法发布:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/${iot:Connection.Thing.ThingName}"
]
}
]
}
最后如下连接并发布成功。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/*"
]
}
]
}
MQTTBox 客户端配置:
出版商:
我究竟做错了什么?
该策略需要一个显式的iot:Connect语句以允许连接到client资源。
相关client资源记录在https://docs.aws.amazon.com/iot/latest/developerguide/action-resources.html为
客户端 ID ARN - arn:aws:iot:us-east1:123456789012:client/myClientId
对于在 AWS IoT 注册表中注册的事物,您可以使用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": ["arn:aws:iot:us-east-1:*********:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
例如,此示例将允许客户端 ID 为ThingId123发布到名为ThingId123的主题。
另请参阅https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html以获取似乎与您的需求密切相关的示例。
在自己与细粒度的策略斗争之后,公认的答案应该是您刚刚忘记了主题末尾的/* ,因为 AWS 对主题资源使用了更多嵌套,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}",
]
}
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
你可以在这里阅读:
也代替
"Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
你可以做
"Resource": [ "arn:aws:iot:us-east-1:123456789012:*/${iot:Connection.Thing.ThingName}/*"
这也将帮助您订阅
AWS Node JS SDK-Amazon IOT-MalformedPolicyException:策略文档格式错误
[英]AWS Node JS SDK - Amazon IOT - MalformedPolicyException: Policy document is Malformed
使用Cognito并为AWS IOT创建策略时,iot:ClientId策略变量的值是什么?
[英]When using Cognito, and creating a policy for AWS IOT, What is the value of the iot:ClientId policy variable?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.