- 新しい順
- 投票が多い順
- コメントが多い順
Hi,
AWS IoT Policies do not support string concatenation or wildcards in the resources associated with the iot:Connect
action. Please refer to the documentation: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#iot-policies.
My recommendation is to use the Certificate policy variables instead of Thing Policy variables (see https://docs.aws.amazon.com/iot/latest/developerguide/cert-policy-variables.html for the supported variables). You can store the name of the device in the iot:Certificate.Issuer.CommonName
and write the above policy as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": [
"arn:aws:iot:eu-west-1:XYZ:client/${iot:Certificate.Issuer.CommonName}",
],
"Effect": "Allow"
},
Note that you need to use a CSR (Certificate Signing Request) to set the Common Name when getting AWS IoT managed device certificated by using the CreateCertificateFromCSR API
関連するコンテンツ
- 質問済み 8ヶ月前
- AWS公式更新しました 1年前
- AWS公式更新しました 1年前
- AWS公式更新しました 1年前
Hi, I've realised I don't understand this part of your answer "AWS IoT Policies do not support string concatenation or wildcards in the resources associated with the iot:Connect action". In the documentation you link to, it explicitly states "AWS IoT policies support * as a wildcard character" and the example below this on the same page states: "The Connect policy includes the * wildcard after the core device thing name (for example, core-device-thing-name*)." These seem to be at odds to your assertion.
Hi. You are right. Wildcards are supported. However, please see the quote here: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html
So
${iot:Connection.Thing.ThingName}_dev
producesM112235_dev_dev
. One other catch: Greengrass makes more than one connection if you have more than 50 subscriptions, and those extra connections don't use a client ID matching the thing name. This is also stated in the link Massi shared.