[英]AWS IoT - Restrict topic to user's Cognito ID
我一直在嘗試將對IoT主題的Publish / Receive權限限制為用戶的Cognito ID。
在我的應用程序中,我正在創建看起來像messenger/{cognitoUserId} (例如messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb )。
因此,在我的IAM策略中,我想指定僅主題中包含Cognito ID的用戶對該主題具有“ Publish / Receive權限。
這是我的IAM政策當前的樣子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iot:Connect",
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Effect": "Deny",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
"Condition": {"StringNotLike": {"iot:topicfilter": [
"messenger/${cognito-identity.amazonaws.com:sub}"
]}}
}
]
}
任何幫助將不勝感激。 我已經花了整整兩天的時間來研究AWS文檔,博客文章以及其他內容。 在我看來,這似乎是AWS IoT主題的這種正常的常規用例,但是很難做到。
將cognito與AWSIoT結合使用時有兩種情況:
注意:如果您未指定任何IoT策略,則一切都被視為拒絕,如果您使用的是經過身份驗證的池認知身份,則似乎是這種情況。
有關詳細信息,請訪問: https ://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon。 com / iot / latest / developerguide / authorization.html
您可能會對https://stackoverflow.com/a/47838529/962545感興趣的另一個類似線程
Cognito + IoT 集成 - 如何限制客戶端,使其只能訂閱名稱為 Cognito 用戶 ID 的 MQTT 主題?
[英]Cognito + IoT Integration - How to restrict a client so that it can subscribe to MQTT topic with name as Cognito user id only?
如何僅允許AWS IoT訂閱Cognito用戶ID(sub)下的主題?
[英]How to only allow AWS IoT subscriptions to topics under Cognito user id (sub)?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.