Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Enforce IOT policy with Thing attributes - client disconnects

0

I have a thing connected to AWS IoT and sending messages with no problems, my policy looks like this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect",
        "iot:Subscribe"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:eu-central-1:574787835894:topic/FOO/*"
      ]
    }
  ]
}

My thing is using a type with a searchable attribute called "prefix"
Type is properly attached to the thing
Attribute key is properly filled with "prefix" and its value with "FOO"
However, when I update the policy to use searchable attributes in this way client disconnects with AUTH failure:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "iot:Connect",
            "iot:Subscribe"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "iot:Receive",
            "iot:Publish"
          ],
          "Resource": [
            "arn:aws:iot:eu-central-1:574787835894:topic/${iot:Connection.Thing.Attributes[prefix]}/*"
          ]
        }
      ]
    }

I have spent a lot of hours to debug this problem without success, please, any idea?

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
asked 5 years ago585 views
3 Answers
0

Hi,

Note that to use thing policy variables, the value of the client id must match with thing name. Also, the device certificate must have an association with the respective thing. Please check these two and let us know if the problem still persists.

Hope it helps

AWS
answered 5 years ago
0

you were right, the name was different because in AWS I had replaced the dots by dashes, once the name is the same on both sides it works properly. Thank you !

answered 5 years ago
0

Since introduction of the thing-to-connection association also called an exclusive thing association on November 15, 2024, the client ID no longer has to match a thing name. If you want to use a client ID that doesn’t correspond to a thing name, you must attach the device’s X.509 certificate exclusively to a single AWS IoT Thing.

In this setup, your MQTT client can connect to the AWS IoT Core broker using any client ID. Authorization is still enforced by your AWS IoT Core policies, which can reference the associated thing via policy variables.

The exclusive thing association is especially useful when a single certificate needs to support multiple concurrent MQTT connections from the same device.

AWS
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content