使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

how to set a proper policy for the role attached to a republish rule in IoT

0

I've a rule (republish_generic2) with the following query statement:
SELECT topic(2) as device_id, temperature FROM 'things/+/pub'
and with a republish action, republishing to the following topic:
things/${topic(2)}/sub

thus with a substitution template.
(i've defined a role along with the rule)
additionally I've added an error topic: error/2

I had also created a similar rule (republish_1) but republishing to things/device1/sub (so without using a substitution template)

When publishing to things/device1/pub with the republish_1 rule nicely appears the message at the things/device1/sub topic.
However the republish_generic2 rule isn’t able to publish at the same topic. The error/2 topic receives the following:
{
"ruleName": "republish_generic2",
"topic": "things/device1/pub",
"cloudwatchTraceId": "xxxxx",
"clientId": "xxxx",
"base64OriginalPayload": "ewogICJ0ZW1wZXJhdHVyZSI6IDI4LAogICJodW1pZGl0eSI6IDgwLAogICJiYXJvbWV0ZXIiOiAxMDEzLAogICJ3aW5kIjogewogICAgInZlbG9jaXR5IjogMjIsCiAgICAiYmVhcmluZyI6IDI1NQogIH0KfQ==",
"failures": [
{
"failedAction": "RepublishAction",
"failedResource": "things/device1/sub",
"errorMessage": "Failed to republish to topic. Received Server error. The error code is 403. Message arrived on: things/device1/pub, Topic: things/device1/sub"
}
]
}
The rule works correctly, also the substitution template, but it seems that there is now an additionally permission required when using a substitution template. But I can not find out what and how. I’ve did some trail and error, but that leads to nothing. I could find something in the documentation that indeed an additional permission is needed when using a substitution template, but how exactly I couldn’t find.

A snippet of my current policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive",
"iot:Republish"
],
"Resource": [
"arn:aws:iot::topic/things/*/pub",
"arn:aws:iot::topic/things//sub",
"arn:aws:iot::topic/things/device1/sub",
"arn:aws:iam::service-role/republish_generic_role2",
""
]

Does anyone can tell me what I’ve to do exactly to solve this issue?

主題
物聯網 (IoT)
標籤
AWS IoT Core
語言
English
djAnton
已提問 3 年前檢視次數 430 次
1 個回答
1

After some more digging I was able to answer the question myself:

First of all I came to the insight that the policy document that can be edited in the IoT Console handles the permissions of the Client that connects to the IoT Core and not the permissions of other AWS Resources.

I recreated the solution but this time not by using the AWS console, but by setting it up via the AWS CLI. That is quite verbose, but following the steps it works after all. A few steps involves the creation of the role and policy to be added to the rule. When I create that policy and attach that to the already created republish rule with the substitution template, it works also.
So it seems to me a bug in the AWS Console that it doesn't create a proper policy in case a substitution template is used in the rule's destination topic.

djAnton
已回答 3 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容