【以下的问题经过翻译处理】 根据这份文档,我们可以使用变量,但貌似只能 "在组件配方的生命周期定义中使用". 是否有未声明的方式在accessControl
语句中使用变量?特别是我正在尝试添加以下accessControl
语句:
DefaultConfiguration:
accessControl:
aws.greengrass.ipc.mqttproxy:
"{COMPONENT_NAME}:mqttproxy:1":
policyDescription: Allows subscribing to command messages from aws-iot-core
operations:
- "aws.greengrass#SubscribeToIoTCore"
resources:
- "iot/cache/#"
- "iot/gateways/{iot:thingName}/command/+"
- "iot/gateways/{iot:thingName}/status/+"
"{COMPONENT_NAME}:mqttproxy:2":
policyDescription: Allows publishing update messages to aws-iot-core
operations:
- "aws.greengrass#PublishToIoTCore"
resources:
- "iot/things/+/message"
...但我在订阅iot/gateways/my-actual-core-name/command/+
和iot/gateways/my-actual-core-name/status/+
时收到了awsiot.greengrasscoreipc.model.UnauthorizedError
。
通过试错,我发现以下资源声明语句可以实现我想要的,但它们有点"过于宽泛":
resources:
- "iot/cache/#"
- "iot/gateways/+/command/+"
- "iot/gateways/+/status/+"
然后我可以实际订阅iot/gateways/my actual core name/command/+和iot/gateways/my actual core-name/status/+。这对我来说有点违背直觉,因为它们不是明确的同一主题模式(我希望只允许订阅iot/gateway/++command/+)。目前这是一个不错的解决方案,但我希望我能做得更好,防止给定的网关订阅iot/gateway/artificial words/command/+