En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

How to concatenate thing name with string in mqtt policy?

0

Hi guys,
I am asking help to configure a particular case in mqtt policy that seems not to work.
In my scenario I have a thing in IoT Core with a generic name (let's say TesThing ) and I want this thing to be able to connect to IoT Core with two possible client ids: the thing name as it is ( TesThing ) or the thing name plus the string "Shell" (that is TesThingShell ). I wrote this policy to achieve this behaviour:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}Shell"
      ]
    }
  ]
}

However it does not behave as expected. The device connects normally with id "TesThing" but does not connect with id "TesThingShell", unless I explicitly hardcode "TesThingShell" in the policy. This made me think that it is not actually possible to concatenate ${iot:Connection.Thing.ThingName} with a generic string in the policy document. Do you know any way to do this?

Sujets
Internet des objets (IoT)
Balises
AWS IoT Core
Langue
English
FiorixF1
demandé il y a 4 ans336 vues
2 réponses
0

Thanks for using AWS IoT. As our docs(https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html) say, to use thing-policy variables these two things must be true.

  1. ClientId must match with ThingName.
  2. Certificate must be associated with the Thing (specified in the clientId).

A certificate can be associated with more than one thing so we depend on device giving the exact thing name while connecting to IoT core in clientId field. This is needed even if certificate is attached to a single thing because if the certificate is attached to another thing in its lifetime (maybe accidentally), we don't want existing devices to break as policy variables cannot be resolved if we cannot identify the thing uniquely.

We have a feature request in our backlog to support multiple client ids. We cannot give exact dates but we are working hard to get the features out based on the priorities.

AWS
AWS-User-3247576
répondu il y a 4 ans
0

Thank you for the answer.

I managed to obtain the same behaviour I had in mind using thing attributes instead of different client ids, cited in the link you provided.

FiorixF1
répondu il y a 4 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents