问题描述
我在下面创建了以下策略,用于限制 MQTT 客户端允许的 ClientID 连接。它应该限制为一个硬编码的 ClientID“test”和一个作为 AWS Thing 名称的 CLientID。使用 AWS Thing 的名称有效,但我的硬编码“测试”ClientId 不起作用?
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "iot:Connect","Resource": "*","Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
},"ForAnyValue:StringEquals": {
"iot:ClientId": [
"test","${iot:Connection.Thing.ThingName}"
]
}
}
},{
"Effect": "Allow","Action": "iot:Publish","Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
},"Action": "iot:Subscribe","Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
},"Action": "iot:Receive","Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
}
]
}
解决方法
既然您设置了 "iot:Connection.Thing.IsAttached": ["true"],我相信名称为 test 的事物需要在事物注册表中注册,并附有主体。