By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT policy with multiple clients, same certificate, different client ID, immediate disconnection

1

I have a device where i have multiple clients connecting to IoT using the same credentials. Each client is using a different client ID.

In the certificate policy, I have under

    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Connection.Thing.ThingName}/*" ]

If I try to publish for example to a topic on one of the clients, let say abc/MY_THING_NAME/hello, IoT will immediately disconnect the client.

If I have the policy

    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/MY_THING_NAME/*" ]

Then I can happily publish to abc/MY_THING_NAME/hello, the message is accepted by the broker, and no client disconnect.

I don' t understand why I have to put the specific thing name in the policy rule, and the "${iot:Connection.Thing.ThingName}" does not allow this through. Am i missing something here ? I understand that the client disconnection behavior occurs when the client breaks the policy, however this is not expected here I didn't think.

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
majh
asked a year ago335 views
1 Answer
0

Hi Majh,

you are correct that the disconnect happens when the client breaks the policy. In the specific case, all clients using a clientId different from the Thing Name will break the first policy when trying to publish to abc/MY_THING_NAME/hello. This is because the ${iot:Connection.Thing.ThingName} only resolves to the Thing Name when the the clientId is the same as the Thing Name.

Assuming you really need to have multiple connections using the same certificate - which should only be the case when all connections are established from the same device - then you can use a certificate policy variable instead.

If you are using AWS IoT Certificates you can use a CSR to populate Subject variables when creating the certificate with CreateCertificateFromCsr.

Your policy would then be:

{                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Certificate.Subject.CommonName}/*" ]   
}

Cheers,

Massimiliano

AWS
EXPERT
MassimilianoAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content