AWS IOT 政策文件
AWS IOT policy document
我有一个应用程序,其中每个客户端都有自己的东西,我正在为每个东西创建一个证书并将其附加到该东西,我还将以下策略附加到证书。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
我想做的是限制一个客户端访问其他客户端的东西,每个客户端都可以完全访问它的东西主题。
以上策略无效,客户端根本无法连接。
然而,以下是有效的(就功能而言),但客户端能够发布到所有主题。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
还有以下连接成功但发布失败:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/${iot:Connection.Thing.ThingName}"
]
}
]
}
终于下面连接发布成功了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/*"
]
}
]
}
MQTTBox 客户端配置:
出版商:
我做错了什么?
策略需要明确的 iot:Connect 语句以允许连接到 client 资源。
相关的 client 资源在 https://docs.aws.amazon.com/iot/latest/developerguide/action-resources.html 中记录为
A client ID ARN - arn:aws:iot:us-east1:123456789012:client/myClientId
对于在 AWS IoT 注册表中注册的事物,您可以使用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": ["arn:aws:iot:us-east-1:*********:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
例如此示例将允许客户端 ID 为 ThingId123 的事物发布到名为 ThingId123.
的主题
另请参阅 https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html 以获取似乎非常符合您需求的示例。
在我自己努力处理细粒度策略之后,
公认的答案应该是您只是忘记了主题末尾的 /*,因为 AWS 对主题资源使用了更多嵌套,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}",
]
}
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
你可以读到的是here:
也代替了
"Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
你可以做到
"Resource": [ "arn:aws:iot:us-east-1:123456789012:*/${iot:Connection.Thing.ThingName}/*"
这对您的订阅也有帮助
我有一个应用程序,其中每个客户端都有自己的东西,我正在为每个东西创建一个证书并将其附加到该东西,我还将以下策略附加到证书。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
我想做的是限制一个客户端访问其他客户端的东西,每个客户端都可以完全访问它的东西主题。
以上策略无效,客户端根本无法连接。 然而,以下是有效的(就功能而言),但客户端能够发布到所有主题。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
还有以下连接成功但发布失败:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/${iot:Connection.Thing.ThingName}"
]
}
]
}
终于下面连接发布成功了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:us-east-1:******:topic/*"
]
}
]
}
MQTTBox 客户端配置:
出版商:
我做错了什么?
策略需要明确的 iot:Connect 语句以允许连接到 client 资源。
相关的 client 资源在 https://docs.aws.amazon.com/iot/latest/developerguide/action-resources.html 中记录为
A client ID ARN - arn:aws:iot:us-east1:123456789012:client/myClientId
对于在 AWS IoT 注册表中注册的事物,您可以使用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": ["arn:aws:iot:us-east-1:*********:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
}
]
}
例如此示例将允许客户端 ID 为 ThingId123 的事物发布到名为 ThingId123.
另请参阅 https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html 以获取似乎非常符合您需求的示例。
在我自己努力处理细粒度策略之后, 公认的答案应该是您只是忘记了主题末尾的 /*,因为 AWS 对主题资源使用了更多嵌套,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}",
]
}
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
你可以读到的是here:
也代替了
"Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
你可以做到
"Resource": [ "arn:aws:iot:us-east-1:123456789012:*/${iot:Connection.Thing.ThingName}/*"
这对您的订阅也有帮助