By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to concatenate thing name with string in mqtt policy?

0

Hi guys,
I am asking help to configure a particular case in mqtt policy that seems not to work.
In my scenario I have a thing in IoT Core with a generic name (let's say TesThing ) and I want this thing to be able to connect to IoT Core with two possible client ids: the thing name as it is ( TesThing ) or the thing name plus the string "Shell" (that is TesThingShell ). I wrote this policy to achieve this behaviour:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:**-**-*:123***789:client/${iot:Connection.Thing.ThingName}Shell"
      ]
    }
  ]
}

However it does not behave as expected. The device connects normally with id "TesThing" but does not connect with id "TesThingShell", unless I explicitly hardcode "TesThingShell" in the policy. This made me think that it is not actually possible to concatenate ${iot:Connection.Thing.ThingName} with a generic string in the policy document. Do you know any way to do this?

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
FiorixF1
asked 4 years ago336 views
2 Answers
0

Thanks for using AWS IoT. As our docs(https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html) say, to use thing-policy variables these two things must be true.

  1. ClientId must match with ThingName.
  2. Certificate must be associated with the Thing (specified in the clientId).

A certificate can be associated with more than one thing so we depend on device giving the exact thing name while connecting to IoT core in clientId field. This is needed even if certificate is attached to a single thing because if the certificate is attached to another thing in its lifetime (maybe accidentally), we don't want existing devices to break as policy variables cannot be resolved if we cannot identify the thing uniquely.

We have a feature request in our backlog to support multiple client ids. We cannot give exact dates but we are working hard to get the features out based on the priorities.

AWS
AWS-User-3247576
answered 4 years ago
0

Thank you for the answer.

I managed to obtain the same behaviour I had in mind using thing attributes instead of different client ids, cited in the link you provided.

FiorixF1
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content