如何允许设备中"iot:Publish"的所有作业,而不是特定的作业名称?
我不知道允许通配符+或*"iot:Publish"的作业更新主题。
但我可以将其用于"iot:Subscribe"和"iot:Receive"。
AWS IoT 策略:
对于"物联网:发布">
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/start-next",
"arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/ota-20190401/update" <- (A)allow publishing
"arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/+/update" <- (B)not allow publishing
]
}
]
}
对于"物联网:订阅">
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/notify-next",
"arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/accepted",
"arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/rejected",
"arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/accepted", <- allow subscribing
"arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/rejected" <- allow subscribing
]
}
]
}
我在我的设备上得到了AWSIoTPythonSDK.exception.AWSIoTExceptions.publishTimeoutException,以防(B(policy。
根据 https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html,"+"或"#"被视为文字字符。 您可以使用"*"作为通配符,但请注意,"*"将匹配主题中的任何字符(字母、数字、斜杠等(。