How to use wildcard of AWS IoT Policy with jobs Resource for iot:Publish

Question

How can I allow all job, not specific job name, for "iot:Publish" from my device?

I have no idea to allow wildcard + or * of jobs update topic for "iot:Publish".

But I can use it for "iot:Subscribe" and "iot:Receive".

AWS IoT Policy:

for "iot:Publish"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/start-next",
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/ota-20190401/update"  <- (A)allow publishing
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/+/update"  <- (B)not allow publishing
      ]
    }
  ]
}

for "iot:Subscribe"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/notify-next",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/accepted",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/rejected",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/accepted",  <- allow subscribing
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/rejected"  <- allow subscribing
      ]
    }
  ]
}

I got AWSIoTPythonSDK.exception.AWSIoTExceptions.publishTimeoutException on my device in case of (B)policy.

Answer 1

According to https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html, a '+' or '#' is treated as a literal character. You can use '*' as a wildcard, but be aware that '*' will match any characters in the topic (letters, numbers, slashes, etc.)