如何将AWS IoT策略的通配符与作业资源结合使用以实现物联网:发布

时间:2019-04-01 05:53:47

标签: aws-iot

如何从我的设备允许所有作业(而不是特定的作业名称)进行“ iot:Publish”?

我不知道允许“ iot:Publish”的作业的通配符+*进行更新。

但是我可以将其用于“ iot:Subscribe”和“ iot:Receive”。

AWS IoT策略:

“ iot:Publish” 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/start-next",
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/ota-20190401/update"  <- (A)allow publishing
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/+/update"  <- (B)not allow publishing
      ]
    }
  ]
}

“ iot:Subscribe” 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/notify-next",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/accepted",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/rejected",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/accepted",  <- allow subscribing
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/rejected"  <- allow subscribing
      ]
    }
  ]
}

在(B)策略的情况下,我的设备上获得了AWSIoTPythonSDK.exception.AWSIoTExceptions.publishTimeoutException。

1 个答案:

答案 0 :(得分:0)

根据https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html,'+'或'#'被视为文字字符。您可以将''用作通配符,但是请注意''将匹配主题中的任何字符(字母,数字,斜杠等)

相关问题
最新问题