AWS IoT:策略中的资源导致 AWS IoT PublishIn 状态:AUTHORIZATION_ERROR
AWS IoT: Resource in policy cause AWS IoT PublishIn Status: AUTHORIZATION_ERROR
我正在使用 AWSIoTPythonSDK 从温度传感器向 AWS IoT Core 发布消息。当我在证书策略中将主题明确指定为资源时,我在 Cloudwatch
中得到 AUTHORIZATION_ERROR
注意:为安全起见更改了 PrincipleID(证书名称)
2020-02-22T20:03:48.371-07:00
2020-02-23 03:03:48.371 TRACEID:2a0de6c8-dd28-586e-671f-119de983b5d5 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /ERROR/ EVENT:PublishEvent TOPICNAME:topic/tSensor01/tempmon MESSAGE:PublishIn Status: AUTHORIZATION_ERROR Failure reason:AUTHORIZATION_FAILURE
@ingestionTime
1582427034767
@log
549210374177:AWSIotLogs
@logStream
a2d5c94d-f908-4e76-bd9e-3627976e8b72_549210374177_0
@message
2020-02-23 03:03:48.371 TRACEID:2a0de6c8-dd28-586e-671f-119de983b5d5 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /ERROR/ EVENT:PublishEvent TOPICNAME:topic/tSensor01/tempmon MESSAGE:PublishIn Status: AUTHORIZATION_ERROR Failure reason:AUTHORIZATION_FAILURE
这是我的证书策略(仅显示 iot:Publish)导致 AUTHORIZATION_ERROR
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account id>:topic/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:<region>:<account id>:topic/${iot:ClientId}/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/tempmon"
]
},
然而,为了隔离问题,我使用了蛮力方法(不可接受),方法是将以下行 arn:aws:iot:::* 添加到策略中,并且来自设备的消息正在发布。
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account id>:topic/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:<region>:<account id>:topic/${iot:ClientId}/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/tempmon",
"arn:aws:iot:<region>:<account id>:*"
]
},
这样的暴力手段是不能接受的,我想知道根本原因。
设备连接正常。因此可以安全地假设我的凭据信息不是问题
以下显示 Cloudwatch 日志中的连接跟踪
2020-02-22T20:03:48.314-07:00
2020-02-23 03:03:48.314 TRACEID:f801f2bb-147f-5c94-2e2e-7d63d7cacd26 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /INFO/ EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
@ingestionTime
1582427034767
@log
549210374177:AWSIotLogs
@logStream
a2d5c94d-f908-4e76-bd9e-3627976e8b72_549210374177_0
@message
2020-02-23 03:03:48.314 TRACEID:f801f2bb-147f-5c94-2e2e-7d63d7cacd26 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /INFO/ EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
谢谢
我能够解决问题。证书策略没有问题。问题是我传递给 AWS 设备 SDK 的参数。我正在传递 topic/tSensor01/tempmon 相反,当我将 tSensor01/tempmon 传递给 SDK 时,它解决了问题。 主题 可以被视为服务,不应传递给 SDK
我正在使用 AWSIoTPythonSDK 从温度传感器向 AWS IoT Core 发布消息。当我在证书策略中将主题明确指定为资源时,我在 Cloudwatch
中得到 AUTHORIZATION_ERROR注意:为安全起见更改了 PrincipleID(证书名称)
2020-02-22T20:03:48.371-07:00
2020-02-23 03:03:48.371 TRACEID:2a0de6c8-dd28-586e-671f-119de983b5d5 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /ERROR/ EVENT:PublishEvent TOPICNAME:topic/tSensor01/tempmon MESSAGE:PublishIn Status: AUTHORIZATION_ERROR Failure reason:AUTHORIZATION_FAILURE
@ingestionTime
1582427034767
@log
549210374177:AWSIotLogs
@logStream
a2d5c94d-f908-4e76-bd9e-3627976e8b72_549210374177_0
@message
2020-02-23 03:03:48.371 TRACEID:2a0de6c8-dd28-586e-671f-119de983b5d5 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /ERROR/ EVENT:PublishEvent TOPICNAME:topic/tSensor01/tempmon MESSAGE:PublishIn Status: AUTHORIZATION_ERROR Failure reason:AUTHORIZATION_FAILURE
这是我的证书策略(仅显示 iot:Publish)导致 AUTHORIZATION_ERROR
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account id>:topic/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:<region>:<account id>:topic/${iot:ClientId}/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/tempmon"
]
},
然而,为了隔离问题,我使用了蛮力方法(不可接受),方法是将以下行 arn:aws:iot:::* 添加到策略中,并且来自设备的消息正在发布。
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account id>:topic/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:<region>:<account id>:topic/${iot:ClientId}/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/tempmon",
"arn:aws:iot:<region>:<account id>:*"
]
},
这样的暴力手段是不能接受的,我想知道根本原因。
设备连接正常。因此可以安全地假设我的凭据信息不是问题
以下显示 Cloudwatch 日志中的连接跟踪
2020-02-22T20:03:48.314-07:00
2020-02-23 03:03:48.314 TRACEID:f801f2bb-147f-5c94-2e2e-7d63d7cacd26 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /INFO/ EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
@ingestionTime
1582427034767
@log
549210374177:AWSIotLogs
@logStream
a2d5c94d-f908-4e76-bd9e-3627976e8b72_549210374177_0
@message
2020-02-23 03:03:48.314 TRACEID:f801f2bb-147f-5c94-2e2e-7d63d7cacd26 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /INFO/ EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
谢谢
我能够解决问题。证书策略没有问题。问题是我传递给 AWS 设备 SDK 的参数。我正在传递 topic/tSensor01/tempmon 相反,当我将 tSensor01/tempmon 传递给 SDK 时,它解决了问题。 主题 可以被视为服务,不应传递给 SDK