Can you use thing 'Attributes' in recipe access control for setting permissions

Question

In the IoT thing policy I am able to set a policy resource to allow the action publish to a topic using the variable:
```
${iot:Connection.Thing.Attributes[fleetOperator]}
```
```
arn:aws:iot:ap-southeast-2:949179323480:topic/Iot/${iot:Connection.Thing.Attributes[fleetOperator]}/${iot:Connection.Thing.ThingName}/*
```

Is there a way to replicate this in the access control of a recipe? Something similar to the below.

```
      aws.greengrass.ipc.mqttproxy:
        'test:mqttproxy:1':
          policyDescription: Allows access to everything
          operations:
            - 'aws.greengrass#SubscribeToIoTCore'
            - 'aws.greengrass#PublishToIoTCore'
          resources:
            - 'Iot/{iot:thingName}*'
            - 'Iot/{iot:Connection.Thing.Attributes[fleetOperator]}/{iot:Connection.Thing.ThingName}/*'
```

Additionally what would be the preferred method to access the thing attributes in a greengrass component - currently I use the aws sdk however need to set the appropriate permissions using the TES, I would prefer to use the IoT credentials if possible.

Accepted Answer

Unfortunately, `{iot:Connection.Thing.Attributes}` is not supported, just thing name

https://docs.aws.amazon.com/greengrass/v2/developerguide/interprocess-communication.html#ipc-authorization-policy-recipe-variables

For your second question, greengrass provides the `AWS_IOT_THING_NAME` environment variable,
https://docs.aws.amazon.com/greengrass/v2/developerguide/component-environment-variables.html.  But for other attributes, I believe using the sdk would be the right approach.

Can you use thing 'Attributes' in recipe access control for setting permissions

相关内容