AWS IoT Policy - using * in combination with a text string or variable

0

When using * in combination with a variable or text string the resource is not working as expected.
When using a allow effect for action iot:Connect on a resource

"arn:aws:iot:*:*:client/${iot:Connection.Thing.ThingTypeName}-*"

I'am expecting to be able to connect using a client id based on the thing name and a string seperated by a dash.
Eg. "MyThingName-client1" or "MyThingName-abc" based on the condition that the thing name is "MyThingName".

The behaviour i experiance is that i can not connect using the wildcard in combination with variable or a string.
A full reproducing example is shown below. I can connect using only the thing name bu not using the thing name dash any string.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:*:*:client/${iot:Connection.Thing.ThingTypeName}",
        "arn:aws:iot:*:*:client/${iot:Connection.Thing.ThingTypeName}-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:*:*:topic/${iot:Connection.Thing.ThingTypeName}/input/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:*:*:topic/${iot:Connection.Thing.ThingTypeName}/event/${iot:Connection.Thing.ThingName}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:*:*:topic/${iot:Connection.Thing.ThingTypeName}/output/${iot:Connection.Thing.ThingName}"
      ]
    }
  ]
}
savnik
asked 2 years ago93 views
2 Answers
0

Thanks for using AWS IoT. As our docs(https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html) say, to use thing-policy variables these two things must be true.

  1. ClientId must match with ThingName.
  2. Certificate must be associated with the Thing (specified in the clientId).

A certificate can be associated with more than one thing so we depend on device giving the thing name while connecting to IoT core in clientId field. This is needed even if certificate is attached to a single thing because if the certificate is attached to another thing in its lifetime (maybe accidentally), we don't want existing devices to break as policy variables cannot be resolved if we cannot identify the thing uniquely.

We have a feature request in our backlog to support multiple client ids. We cannot give exact dates but we are working hard to get the features out based on the priorities.

answered 2 years ago
0

I had overlooked the fact that the thing name should be equal to the client id.
Thanks!

savnik
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions