Here's what happens in my application...
- I have a Node JS web application that displays an HTML page with live device information on.
- A user logs in using Open ID Connect (using Cognito).
- I use the user's identity token to get their identity that has an IoT policy attached to it.
All of this works so far up until I start using a Condition in the IoT policy associated with the user.
I want a user to only access a 'Thing' if the user's organization and Thing's organization match. I create a unique IoT policy for each user and attach it to the user's cognito identity.
Here's my security policy. Again this is the policy that's attached to the user's identity. I should point out that if I remove the 'Condition' everything works...
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iot:Connect"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:us-east-1:1234567890:client/*"
},
{
"Action": [
"iot:Publish",
"iot:Receive"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:us-east-1:1234567890:topic/*",
"Condition": {
"StringEquals": {
"iot:Connection.Thing.Attributes[org]": "acme"
}
}
},
{
"Action": [
"iot:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:us-east-1:1234567890:topicfilter/device/*"
}
]
}
What am I doing wrong? Why is this not working? The Thing definitely has an 'org' attribute on it. Please don't tell me the condition is being somehow applied to the user rather than the thing the user is trying to connect too :(.
Edited by: gemehendrix on Jan 9, 2019 7:26 AM
