- Newest
- Most votes
- Most comments
As far as I understand, the issue is likely a circular dependency or a resolution failure of the ${iot:Connection.Thing.ThingName} variable within the Resource ARN of the iot:Connect action. During the initial connection phase, AWS IoT Core prefers resolving the client identity via ${iot:ClientId}. If the certificate-to-thing attachment isn't resolved instantly during the TLS handshake, the policy evaluation for the resource ARN fails.
Use ${iot:ClientId} for the iot:Connect resource path, while maintaining the security constraint in the Condition block. This ensures the client can only connect if its Client ID matches the attached Thing Name.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnect", "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:${aws:Region}:${aws:AccountId}:client/${iot:ClientId}", "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" }, "StringEquals": { "iot:ClientId": "${iot:Connection.Thing.ThingName}" } } }, { "Sid": "AllowPublish", "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:${aws:Region}:${aws:AccountId}:topic/${iot:Connection.Thing.ThingName}/*" }, { "Sid": "AllowSubscribe", "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:${aws:Region}:${aws:AccountId}:topicfilter/${iot:Connection.Thing.ThingName}/*" }, { "Sid": "AllowReceive", "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iot:${aws:Region}:${aws:AccountId}:topic/${iot:Connection.Thing.ThingName}/*" } ] }
-
Attachment: Ensure the Certificate is explicitly attached to the Thing in the AWS IoT Registry.
-
Client ID: The device code must use the ThingName as its ClientID when connecting.
-
Topic Structure: Ensure your device is publishing to a sub-topic (e.g., ThingName/data), as the /* wildcard requires a child level. If you publish directly to the ThingName topic, remove the /*.
Hope that helps!
So I have used the Thing.IsAttached before with success. I did some additional testing and managed to get the policy below to work but am still not sure why.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllActionsBoundToThing",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
},
"StringEquals": {
"iot:ClientId": "${iot:Connection.Thing.ThingName}"
}
},
"Effect": "Allow",
"Action": [
"iot:Connect",
"iot:Publish",
"iot:RetainPublish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": "*"
},
{
"Sid": "RestrictPublish",
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:RetainPublish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:${aws:Region}:${aws:AccountId}:topic/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
To add to my earlier response I also added further restriction to subscribe. I am not sure what the real difference is between what I pasted originally and what is below? Side question, is it duplication posting the subscribe, pub, and receive multiple times (first in the allactionsboundtothing and again in their respective restrictions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllActionsBoundToThing",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
},
"StringEquals": {
"iot:ClientId": "${iot:Connection.Thing.ThingName}"
}
},
"Effect": "Allow",
"Action": [
"iot:Connect",
"iot:Publish",
"iot:RetainPublish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": "*"
},
{
"Sid": "RestrictPublish",
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:RetainPublish",
"iot:Receive"
],
"Resource": "arn:aws:iot:${aws:Region}:${aws:AccountId}:topic/${iot:Connection.Thing.ThingName}/*"
},
{
"Sid": "RestrictSubscribe",
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": "arn:aws:iot:${aws:Region}:${aws:AccountId}:topicfilter/${iot:Connection.Thing.ThingName}/*"
}
]
}
Relevant content
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
