IoT policy with multiple clients, same certificate, different client ID, immediate disconnection

Question

I have a device where i have multiple clients connecting to IoT using the same credentials.  Each client is using a different client ID.

In the certificate policy, I have under

```
    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Connection.Thing.ThingName}/*" ]                                
```

If I try to publish for example to a topic on one of the clients, let say
*abc/MY_THING_NAME/hello*, IoT will immediately disconnect the client.

If I have the policy

```
    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/MY_THING_NAME/*" ]                                
```

Then I can happily publish to *abc/MY_THING_NAME/hello*, the message is accepted by the broker, and no client disconnect.

I don' t understand why I have to put the specific thing name in the policy rule, and the "${iot:Connection.Thing.ThingName}" does not allow this through. Am i missing something here ? I understand that the client disconnection behavior occurs when the client breaks the policy, however this is not expected here I didn't think.

Answer

Hi Majh,

you are correct that the disconnect happens when the client breaks the policy. In the specific case, all clients using a `clientId` different from the Thing Name will break the first policy when trying to publish to `abc/MY_THING_NAME/hello`. This is because the `${iot:Connection.Thing.ThingName}` only resolves to the Thing Name when the the `clientId` is the same as the Thing Name.

Assuming you really need to have multiple connections using the same certificate - which should only be the case when all connections are established from the same device - then you can use a [certificate policy variable](https://docs.aws.amazon.com/iot/latest/developerguide/cert-policy-variables.html) instead.

If you are using AWS IoT Certificates you can use a CSR to populate Subject variables when creating the certificate with [CreateCertificateFromCsr](https://docs.aws.amazon.com/iot/latest/apireference/API_CreateCertificateFromCsr.html).

Your policy would then be:

```
{                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Certificate.Subject.CommonName}/*" ]   
}                
```

Cheers,

Massimiliano

IoT policy with multiple clients, same certificate, different client ID, immediate disconnection

관련 콘텐츠