Reputation: 9111
AWS IOT policy document
I have an application where each client has its own thing, for each thing I am creating a certificate and attaching it to the thing, I am also attaching the following policy to the certificate.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
What I want to do is limit a client from accessing other clients' things, and each client can have full access to its thing topic.
The above policy isn't working, clients aren't able to connect at all. However the following is working (in terms of functionality), but clients are able to publish to all topics.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
Also the following connects successfully but fails to publish:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/${iot:Connection.Thing.ThingName}"
]
}
]
}
Finally the following connects and publishes successfully.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/*"
]
}
]
}
MQTTBox client configs:
Publisher:
What am I doing wrong?
Upvotes: 2
Views: 562
Answers (2)
Reputation: 169
after struggling with fine-grained policies myself, the accepted answer should be is that that you just forgot the /* at the end of the topic, since AWS uses more nesting to the topic resource,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}",
]
}
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
you can read about is here:
also instead of
"Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
you can do
"Resource": [ "arn:aws:iot:us-east-1:123456789012:*/${iot:Connection.Thing.ThingName}/*"
this will help you also for subscribing
Upvotes: 0
Reputation: 4946
The policy needs an explicit iot:Connect statement to allow connections to a client resource.
The relevant client resource is documented at https://docs.aws.amazon.com/iot/latest/developerguide/action-resources.html as
A client ID ARN - arn:aws:iot:us-east1:123456789012:client/myClientId
For a thing that is registered in the AWS IoT registry, you can use:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": ["arn:aws:iot:us-east-1:*********:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
e.g. This example will allow a thing with client id of ThingId123 to publish to a topic named ThingId123.
See also https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html for an example that appears to closely align to your needs.
Upvotes: 1
Related Questions
- how to get AWS IOT rule name
- Understanding aws policy
- How to set multiple policies as policy name in aws iot provisioning template
- Create IoT Policy with AWS Lambda
- Can't create and attach an AWS IoT Policy to my certificate
- AWS IoT Policy: subscribe vs receive actions
- Understanding AWS IoT from an Application perspective
- AWS IoT Create custom OTA job document
- AWS IoT and Lambda Rule
- Single AWS IOT rule for all thing shadow updates