Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IoT policy with multiple clients, same certificate, different client ID, immediate disconnection

1

I have a device where i have multiple clients connecting to IoT using the same credentials. Each client is using a different client ID.

In the certificate policy, I have under

    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Connection.Thing.ThingName}/*" ]

If I try to publish for example to a topic on one of the clients, let say abc/MY_THING_NAME/hello, IoT will immediately disconnect the client.

If I have the policy

    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/MY_THING_NAME/*" ]

Then I can happily publish to abc/MY_THING_NAME/hello, the message is accepted by the broker, and no client disconnect.

I don' t understand why I have to put the specific thing name in the policy rule, and the "${iot:Connection.Thing.ThingName}" does not allow this through. Am i missing something here ? I understand that the client disconnection behavior occurs when the client breaks the policy, however this is not expected here I didn't think.

Themen
Internet der Dinge (IoT)
Tags
AWS IoT Core
Sprache
English
majh
gefragt vor einem Jahr350 Aufrufe
1 Antwort
0

Hi Majh,

you are correct that the disconnect happens when the client breaks the policy. In the specific case, all clients using a clientId different from the Thing Name will break the first policy when trying to publish to abc/MY_THING_NAME/hello. This is because the ${iot:Connection.Thing.ThingName} only resolves to the Thing Name when the the clientId is the same as the Thing Name.

Assuming you really need to have multiple connections using the same certificate - which should only be the case when all connections are established from the same device - then you can use a certificate policy variable instead.

If you are using AWS IoT Certificates you can use a CSR to populate Subject variables when creating the certificate with CreateCertificateFromCsr.

Your policy would then be:

{                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Certificate.Subject.CommonName}/*" ]   
}

Cheers,

Massimiliano

AWS
EXPERTE
MassimilianoAWS
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt