Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How to concatenate thing name with string in mqtt policy?

0

Hi guys,
I am asking help to configure a particular case in mqtt policy that seems not to work.
In my scenario I have a thing in IoT Core with a generic name (let's say TesThing ) and I want this thing to be able to connect to IoT Core with two possible client ids: the thing name as it is ( TesThing ) or the thing name plus the string "Shell" (that is TesThingShell ). I wrote this policy to achieve this behaviour:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}Shell"
      ]
    }
  ]
}

However it does not behave as expected. The device connects normally with id "TesThing" but does not connect with id "TesThingShell", unless I explicitly hardcode "TesThingShell" in the policy. This made me think that it is not actually possible to concatenate ${iot:Connection.Thing.ThingName} with a generic string in the policy document. Do you know any way to do this?

Themen
Internet der Dinge (IoT)
Tags
AWS IoT Core
Sprache
English
FiorixF1
gefragt vor 4 Jahren339 Aufrufe
2 Antworten
0

Thanks for using AWS IoT. As our docs(https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html) say, to use thing-policy variables these two things must be true.

  1. ClientId must match with ThingName.
  2. Certificate must be associated with the Thing (specified in the clientId).

A certificate can be associated with more than one thing so we depend on device giving the exact thing name while connecting to IoT core in clientId field. This is needed even if certificate is attached to a single thing because if the certificate is attached to another thing in its lifetime (maybe accidentally), we don't want existing devices to break as policy variables cannot be resolved if we cannot identify the thing uniquely.

We have a feature request in our backlog to support multiple client ids. We cannot give exact dates but we are working hard to get the features out based on the priorities.

AWS
AWS-User-3247576
beantwortet vor 4 Jahren
0

Thank you for the answer.

I managed to obtain the same behaviour I had in mind using thing attributes instead of different client ids, cited in the link you provided.

FiorixF1
beantwortet vor 4 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt