我需要创建一个策略,该策略将仅允许连接已注册到IoT Core的设备,还允许该工作订阅中使用的主题。
目前,我有一个如下所示的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:ap-south-1:12345678912:topic/*"
},
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:ap-south-1:12345678912:client/${iot:Connection.Thing.ThingName}"
}
]
}
在设备端,我正在按照文档https://github.com/aws/aws-iot-device-sdk-python/blob/master/samples/jobs/jobsSample.py
使用Python库来订阅作业我用来订阅jobExecutionTopicType类中存在的主题的打击示例代码。thingsJobManager中存在类。
self.awsIoTMQTTThingJobsClient.createJobSubscription(self.newJobReceived, jobExecutionTopicType.JOB_NOTIFY_NEXT_TOPIC)
self.awsIoTMQTTThingJobsClient.createJobSubscription(self.startNextJobSuccessfullyInProgress, jobExecutionTopicType.JOB_START_NEXT_TOPIC, jobExecutionTopicReplyType.JOB_ACCEPTED_REPLY_TYPE)
self.awsIoTMQTTThingJobsClient.createJobSubscription(self.startNextRejected, jobExecutionTopicType.JOB_START_NEXT_TOPIC, jobExecutionTopicReplyType.JOB_REJECTED_REPLY_TYPE)
我当前面临的问题是,我的设备客户端无法订阅该主题,并且使用当前的策略配置得到AWSIoTExceptions.subscribeTimeoutException。
如果我更改政策
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:ap-south-1:12345678912:*"
}
然后它可以订阅主题,但是,这违反了设备连接条件。它允许任何设备连接到IoT Core
请帮助我创建同时满足这两个条件的政策。
谢谢。
Avinash Deshmukh
答案 0 :(得分:0)
IoT Core策略中的资源是客户端,主题或主题过滤器ARN。 (https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies-elements.html)
这意味着带有通配符的主题示例应该是主题过滤器。因此,该政策中的声明应为:
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:ap-south-1:12345678912:topicFilter/*"
},