Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to concatenate thing name with string in mqtt policy?

0

Hi guys,
I am asking help to configure a particular case in mqtt policy that seems not to work.
In my scenario I have a thing in IoT Core with a generic name (let's say TesThing ) and I want this thing to be able to connect to IoT Core with two possible client ids: the thing name as it is ( TesThing ) or the thing name plus the string "Shell" (that is TesThingShell ). I wrote this policy to achieve this behaviour:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}Shell"
      ]
    }
  ]
}

However it does not behave as expected. The device connects normally with id "TesThing" but does not connect with id "TesThingShell", unless I explicitly hardcode "TesThingShell" in the policy. This made me think that it is not actually possible to concatenate ${iot:Connection.Thing.ThingName} with a generic string in the policy document. Do you know any way to do this?

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
asked 5 years ago517 views
3 Answers
0

Thanks for using AWS IoT. As our docs(https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html) say, to use thing-policy variables these two things must be true.

  1. ClientId must match with ThingName.
  2. Certificate must be associated with the Thing (specified in the clientId).

A certificate can be associated with more than one thing so we depend on device giving the exact thing name while connecting to IoT core in clientId field. This is needed even if certificate is attached to a single thing because if the certificate is attached to another thing in its lifetime (maybe accidentally), we don't want existing devices to break as policy variables cannot be resolved if we cannot identify the thing uniquely.

We have a feature request in our backlog to support multiple client ids. We cannot give exact dates but we are working hard to get the features out based on the priorities.

AWS
answered 5 years ago
0

Thank you for the answer.

I managed to obtain the same behaviour I had in mind using thing attributes instead of different client ids, cited in the link you provided.

answered 5 years ago
0

Since introduction of the thing-to-connection association also called an exclusive thing association on November 15, 2024, the client ID no longer has to match a thing name. If you want to use a client ID that doesn’t correspond to a thing name, you must attach the device’s X.509 certificate exclusively to a single AWS IoT Thing.

In this setup, your MQTT client can connect to the AWS IoT Core broker using any client ID. Authorization is still enforced by your AWS IoT Core policies, which can reference the associated thing via policy variables.

The exclusive thing association is especially useful when a single certificate needs to support multiple concurrent MQTT connections from the same device.

AWS
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content