启动、更新 AWS IOT 作业的权限

Question

我的 AWSIotTopic class 中有 onMessage 函数，它会在创建 AWS IoT 作业时启动 AWS 作业（收听主题 $aws/things/%s/jobs/notify-next）。我无法从本地 java 应用程序更改工作状态。当我使用所有权限将策略附加到我的注册证书时，即：

"Action": "*",
"Resource": "*"

我的应用程序有效，我可以更改工作状态。我必须添加哪些权限才能更改作业状态？

"Effect": "Allow",
  "Action": [
    "iot:UpdateJobExecution",
    "iot:StartNextPendingJobExecution"
    ],
  "Resource": "arn:aws:iot:eu-west-2:125960935295:thing/thingID"
}

以上权限不允许启动和更新作业

Answer 1

我解决了。除了iot:Subscribe之外，有必要在主题notify-next中添加iot:Receive。在设备上执行作业的所有权限：

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:<region>:<awsID>:topicfilter/$aws/things/<deviceID>/jobs/notify-next"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:<region>:<awsID>:topic/$aws/things/<deviceID>/jobs/notify-next"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:<region>:<awsID>:topic/some"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:<region>:<awsID>:client/<deviceID>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:UpdateJobExecution",
        "iot:StartNextPendingJobExecution"
        ],
      "Resource": "arn:aws:iot:<region>:<awsID>:thing/<deviceID>"
    }
  ]
}

启动、更新 AWS IOT 作业的权限

Permissions to start, update AWS IOT job

java

amazon-web-services

aws-sdk

aws-iot