Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IoT policy with multiple clients, same certificate, different client ID, immediate disconnection

1

I have a device where i have multiple clients connecting to IoT using the same credentials. Each client is using a different client ID.

In the certificate policy, I have under

    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Connection.Thing.ThingName}/*" ]

If I try to publish for example to a topic on one of the clients, let say abc/MY_THING_NAME/hello, IoT will immediately disconnect the client.

If I have the policy

    {                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/MY_THING_NAME/*" ]

Then I can happily publish to abc/MY_THING_NAME/hello, the message is accepted by the broker, and no client disconnect.

I don' t understand why I have to put the specific thing name in the policy rule, and the "${iot:Connection.Thing.ThingName}" does not allow this through. Am i missing something here ? I understand that the client disconnection behavior occurs when the client breaks the policy, however this is not expected here I didn't think.

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
asked 3 years ago952 views
2 Answers
0

Hi Majh,

you are correct that the disconnect happens when the client breaks the policy. In the specific case, all clients using a clientId different from the Thing Name will break the first policy when trying to publish to abc/MY_THING_NAME/hello. This is because the ${iot:Connection.Thing.ThingName} only resolves to the Thing Name when the the clientId is the same as the Thing Name.

Assuming you really need to have multiple connections using the same certificate - which should only be the case when all connections are established from the same device - then you can use a certificate policy variable instead.

If you are using AWS IoT Certificates you can use a CSR to populate Subject variables when creating the certificate with CreateCertificateFromCsr.

Your policy would then be:

{                                                                                                                                  
      "Effect": "Allow",                                                                                                               
      "Action": [                                                                                                                      
        "iot:Publish"                                                                                                                  
      ],                                                                                                                               
      "Resource": [  "arn:aws:iot:ap-pt:xxxxx:topic/abc/${iot:Certificate.Subject.CommonName}/*" ]   
}

Cheers,

Massimiliano

AWS
EXPERT
answered 3 years ago
0

Since introduction of the thing-to-connection association also called an exclusive thing association on November 15, 2024, the client ID no longer has to match a thing name. If you want to use a client ID that doesn’t correspond to a thing name, you must attach the device’s X.509 certificate exclusively to a single AWS IoT Thing.

In this setup, your MQTT client can connect to the AWS IoT Core broker using any client ID. Authorization is still enforced by your AWS IoT Core policies, which can reference the associated thing via policy variables.

The exclusive thing association is especially useful when a single certificate needs to support multiple concurrent MQTT connections from the same device.

AWS
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content