堆棧內存溢出
  簡體   English   中英

影子和工作的 AWS IoT 政策

[英]AWS IoT Policy for Shadows and Jobs

 原文  2022-11-18 05:58:02       amazon-web-services/ amazon-iam/ iot

問題描述

我正在嘗試創建一個策略,允許我的東西讀取和更新影子,接受和運行作業,通常 function 允許在它們的命名空間中。 我已經經歷了無數次這樣的迭代,如果我將策略鎖定為“*”以外的任何內容,我將無法再在控制台中手動更新影子,也無法讓我的設備接受 MQTT 上的更改。 我的政策如下:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-1:ACCOUNT:client/${iot:Connection.Thing.ThingName}"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/events/job/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/events/jobExecution/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
        "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/events/jobExecution/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": [
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:DescribeJobExecution",
        "iot:GetPendingJobExecutions",
        "iot:StartNextPendingJobExecution",
        "iot:UpdateJobExecution"
      ],
      "Resource": "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}"
    }
  ]
}

我意識到這里有些冗余,但我還是沒有成功。 我也嘗試過${iot:Connection.Thing.ThingName}硬編碼為事物名稱,但也沒有成功。 任何幫助將不勝感激,謝謝。

1 個解決方案

解決方案1
 0  2022-11-18 09:33:59

這對我有用。 確保沒有附加到您的證書的其他策略會覆蓋某些權限。

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-1:ACCOUNT:client/${iot:Connection.Thing.ThingName}"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/events/job/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/events/jobExecution/*",
        "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted",
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected",
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/delta",
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted",
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected",
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/events/jobExecution/*",
          "arn:aws:iot:us-east-1:ACCOUNT:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": [
          "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted",
          "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected",
          "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/delta",
          "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted",
          "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected",
          "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:DescribeJobExecution",
        "iot:GetPendingJobExecutions",
        "iot:StartNextPendingJobExecution",
        "iot:UpdateJobExecution"
      ],
      "Resource": "arn:aws:iot:us-east-1:ACCOUNT:topic/$aws/things/${iot:Connection.Thing.ThingName}"
    }
  ]
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 西門子徽標陰影和 AWS IoT Timestream 問題 AWS 物聯網政策過於寬松 使用策略將 AWS IOT 設備限制為自身 AWS IoT shadowGet 超時 AWS IoT SQL 規則 多個 AWS 物聯網設備 AWS IoT 設備載入 AWS 時間流數據庫 - AWS IOT AWS 托管政策與政策 Zephyr AWS IOT 示例應用程序
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM