- Newest
- Most votes
- Most comments
This will not work as you intend to as You need to be aware about differences between IoT Policy and IAM Policy, they both have different options and variables they allow for specific actions. Your 'cognito-identity.amazonaws.com:sub' is an IAM level variable, not IoT Policy variable hence it will not work in IoT Policy.
In your case you would need to map a custom user attribute to either a thing or a topic or anything else within the IAM policy and then allow access based on that.
For example - have a Cognito user with custom attribute "department" with value "accounting", then add a custom attribute mapping in Cognito Identity settings so
department : custom:department.
Once you have done that go to IAM and open a role that you Cognito is using for Authenticated users. In trust relationship tab of that role add "sts:TagSession" as permitted action on top of the one that is there already.
Then go to Policy that is attached to this role and in there you can now use ${aws:PrincipalTag/department}
as a variable and match it against your actions for iot.
So for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:*:*:topic/*${aws:PrincipalTag/department}*"
}
]
}
Will now allow subscription to any topic that contains "accounting" in its path. See here for more in depth explanation: https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html Hope this helps.
You'll need to map custom attributes from Amazon Cognito to AWS IoT Core Thing or Thing Type attributes. So Cognito user pools are going to go to specific Identity Pools which will have IAM permissions to IoT Core topics.
IoT Core policies can be crafted using custom attributes as policy variables.
You may not want to use the group as the entity to compare to grant permissions. Instead when onboarding a new device use a pre-provisioning lambda to assign an attribute to the Thing itself.
Please let me know if I have misunderstood something.
I think this is along the way I was thinking. The issue for me is that I'd like for a customer (e.g., Alice), to be able to subscribe & publish to $aws/things/A/shadow, $aws/things/B/shadow, $aws/things/C/shadow but NOT to $aws/things/D/shadow (or any of the other device shadows).
It appears that in order to use the IoT Core Policy variables for Things (e.g., iot:Connection.Thing.Attributes), I must attach the IoT Core Policy to the Thing's Certificate, to the Cognito Identity and attach the Identity to the Thing. And even then Alice must connect using "A" as the client ID, meaning only one Thing's shadow can be accessed per session.
I'm not sure I follow exactly. I'm not certain where the IoT Core policies fit in, exactly? I understand that there must be an IoT Core policy attached to each Identity in order for that particular user to access IoT functionality. Are you suggesting that this IoT Core policy contain permissions for specific MQTT channels? I'm not sure what that IoT Core policy would look like? What I tried that didn't seem to work was something similar to this (pseudocode):
effect = Allow
actions = ["iot:Receive", "iot:Publish"]
resources = *
condition = ${iot:Connection.Thing.Attributes[custom:Company]} == ${aws:PrincipalTag/custom:Company}
Are you suggesting that perhaps I specifically call out resources (e.g., the specific MQTT channels for each Thing)?
On a related note, I am somewhat unclear on the differences between the actions in the IoT Core policies (e.g. iot:Receive) and the IAM policies (also seemingly named iot:Receive). Must these be reciprocal?
Thank you very much!
Would it be possible for you to reach out to me directly via pronoc@amazon.com? I may have misunderstood your use-case and would like to help out further with this.
Relevant content
- asked 6 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
This is correct. I confused IoT policy with IAM policies. Those are two different things. Thanks for setting the record straight.