AWS IOT 策略 - 仅限于指定的 ClientID
AWS IOT Policy - limited to specified ClientID
我在下面创建了以下策略,用于限制 MQTT 客户端允许的 ClientID 连接。它应该限制为一个硬编码的 ClientID“测试”和一个作为 AWS 事物名称的 CLientID。使用 AWS Thing 的名称有效,但我的硬编码“测试”ClientId 不起作用?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
},
"ForAnyValue:StringEquals": {
"iot:ClientId": [
"test",
"${iot:Connection.Thing.ThingName}"
]
}
}
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
}
]
}
由于您设置了 "iot:Connection.Thing.IsAttached": ["true"],我认为名称为 test 的事物需要在事物注册表中注册并附加主体。
我在下面创建了以下策略,用于限制 MQTT 客户端允许的 ClientID 连接。它应该限制为一个硬编码的 ClientID“测试”和一个作为 AWS 事物名称的 CLientID。使用 AWS Thing 的名称有效,但我的硬编码“测试”ClientId 不起作用?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
},
"ForAnyValue:StringEquals": {
"iot:ClientId": [
"test",
"${iot:Connection.Thing.ThingName}"
]
}
}
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
}
]
}
由于您设置了 "iot:Connection.Thing.IsAttached": ["true"],我认为名称为 test 的事物需要在事物注册表中注册并附加主体。