我一直在尝试将IoT主题的Publish / Receive权限限制为用户的Cognito ID。
在我的应用程序中,我正在创建类似于messenger/{cognitoUserId}的主题(例如messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb)。
因此,在我的IAM政策中,我想指定只有主题中包含Cognito ID的用户才能拥有该主题的Publish / Receive权限。
这就是我的IAM政策目前的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iot:Connect",
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
},
{
"Effect": "Deny",
"Action": [
"iot:Receive",
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
"Condition": {"StringNotLike": {"iot:topicfilter": [
"messenger/${cognito-identity.amazonaws.com:sub}"
]}}
}
]
}
非常感谢任何帮助。我已经花了整整2天的时间深入研究AWS文档,博客文章以及其他内容。在我看来,这似乎是AWS IoT主题的正常,常规用例,但却很难做到。
答案 0 :(得分:0)
使用带有AWSIoT的cognito有两种情况:
注意:如果您未指定任何IoT策略,则所有内容都被视为拒绝,如果您使用经过身份验证的池身份识别身份,则似乎就是这种情况。
详情见于: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html
感兴趣的另一个类似帖子