Restricting iot connect policy by combination of environment name and thing name #339

alonsnir · 2022-08-01T12:58:58Z

alonsnir
Aug 1, 2022

What I'm trying to do is to use lifecycle iot rules for identifying whether my device is online/offline.
The application is running in multiple environments and each has a rule with select statement for routing only relevant to the given environment (my-env) events like so:
SELECT * FROM '$aws/events/presence/disconnected/my-env/+

therefore client id must be my-env/thing name e.g. "my-env/thing1"

This works just fine, with a wild policy allowing all to connect, but the problem is that I cannot adjust the more restrict connect policy to work that way.

Here is the policy with my-env in it

Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
           "Resource": [
                "arn:aws:iot:us-east-1:123456789012:client/my-env/${iot:Connection.Thing.ThingName}"
           ]

which doesn't work and failing with:

'awscrt.exceptions.AwsCrtError: AWS_ERROR_MQTT_UNEXPECTED_HANGUP: The connection was closed unexpectedly.'

If I change it like below and I connect with client id same as thing name, without including my-env e.g. "my-env/thing1", it works, but brakes the lifecycle routing

"Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
            ]
        }
}

Could someone please suggest how to resolve this?

Answered by alonsnir

Aug 2, 2022

Ok, the answer was always there in the documentation (and even at the very top of the page)

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name.

So I cannot tight everything to the $ThingName and yet concat environment name into the clientid.

I guess what I will do is generate a policy for each certificate/thing and then instead of variables use static values (which are known at the time of creating and therefor will fit for the thing)

View full answer

alonsnir · 2022-08-02T09:35:18Z

alonsnir
Aug 2, 2022
Author

Ok, the answer was always there in the documentation (and even at the very top of the page)

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name.

So I cannot tight everything to the $ThingName and yet concat environment name into the clientid.

I guess what I will do is generate a policy for each certificate/thing and then instead of variables use static values (which are known at the time of creating and therefor will fit for the thing)

1 reply

jmklix Aug 2, 2022
Maintainer

You might be able to use some wildcard characters to give more flexibility while still having a limit to what you allow with the policy.

2023-12-01T20:09:29Z

github-actions[bot]
bot Dec 1, 2023

Hello! Reopening this discussion to make it searchable.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Restricting iot connect policy by combination of environment name and thing name #339

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Restricting iot connect policy by combination of environment name and thing name #339

alonsnir Aug 1, 2022

Replies: 2 comments · 1 reply

alonsnir Aug 2, 2022 Author

jmklix Aug 2, 2022 Maintainer

github-actions[bot] bot Dec 1, 2023

alonsnir
Aug 1, 2022

Replies: 2 comments 1 reply

alonsnir
Aug 2, 2022
Author

jmklix Aug 2, 2022
Maintainer

github-actions[bot]
bot Dec 1, 2023