发布/订阅策略示例 - Amazon IoT Core
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

发布/订阅策略示例

您使用的策略取决于您连接到 Amazon IoT Core 的方式。您可以使用 MQTT 客户端、HTTP 或 WebSocket 连接到 Amazon IoT Core 。通过 MQTT 客户端连接时,将使用 X.509 证书进行身份验证。通过 HTTP 或 WebSocket 协议连接时,将使用 Signature Version 4 和 Amazon Cognito 进行身份验证。

适用于 MQTT 客户端的策略

MQTT 和 Amazon IoT Core 策略具有不同的通配符,因此应仔细考虑。在 MQTT 中,通配符 +# 用于在 MQTT 主题筛选条件 订阅多个主题名称。 Amazon IoT Core 策略遵循的约定与 IAM 策略中相同,并使用 * 作为通配符,MQTT 通配符 +# 被视为文字字符串。因此,要为 MQTT 客户端 Amazon IoT Core 策略中的主题名称和主题筛选条件指定通配符,您必须使用 *

下表显示了 MQTT 和 MQTT 客户端的 Amazon IoT Core 策略中使用的不同通配符。

通配符 是 MQTT 通配符 MQTT 中的示例 是 Amazon IoT Core 策略通配符 适用于 MQTT 客户端 Amazon IoT Core 策略的示例
# some/# 不适用
+ some/+/topic 不适用
* 不适用 topicfilter/some/*/topic

要在策略的 resource 属性中描述多个主题名称,请使用 * 通配符。以下策略允许设备发布到以同一事物名称开头的所有子主题。

Registered devices (5)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core 以及发布到前缀为事物名称的任何主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*" ] } ] }
Unregistered devices (5)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 、client1client2 连接到 client3 以及发布到前缀为客户端 ID 的任何主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/*" ] } ] }

您还可以在主题筛选条件的末尾使用 * 通配符。使用通配符可能会导致授予意外权限,因此只有在仔细考虑后才能使用它们。它们可能有用的一种情况是,设备必须订阅具有许多不同主题的消息(例如,在设备必须订阅来自多个位置的温度传感器的报告的情况下)。

Registered devices (6)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以通过将设备的事物名称用作客户端 ID 来连接到 Amazon IoT Core ,以及订阅前缀为事物名称(后跟 room 和任何字符串)的主题。(例如,预计这些主题为 thing1/room1thing1/room2 等):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/${iot:Connection.Thing.ThingName}/room*" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/room*" ] } ] }
Unregistered devices (6)

对于未在 Amazon IoT Core 注册表中注册为事务的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 、client1client2 连接到 client3,以及订阅前缀为客户端 ID(后跟 room 和任何字符串)的主题。(例如,预计这些主题为 client1/room1client1/room2 等):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/${iot:ClientId}/room*" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/room*" ] } ] }

当在 Amazon IoT Core 策略中为 MQTT 客户端指定主题筛选条件时,MQTT 通配符 +# 将被视为文本字符。使用它们可能会导致意外行为。

Registered devices (4)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core 以及仅订阅主题筛选条件 some/+/topic。资源 ARN 中的 topicfilter/some/+/topic 的说明,+ 被视为适用于 MQTT 客户端的 Amazon IoT Core 策略中的文字字符串,这意味着只有字符串 some/+/topic 匹配主题筛选条件。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some/+/topic" ] } ] }

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core ,以及仅订阅主题筛选条件 some/*/topic。资源 ARN 中的 topicfilter/some/*/topic 说明,* 将被视为适用于 MQTT 客户端的 Amazon IoT Core 策略中的通配符,这意味着包含该字符的级别中的任何字符串都与主题筛选条件匹配。(预计这些主题可能为 some/string1/topicsome/string2/topic 等)

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some/*/topic" ] } ] }
Unregistered devices (4)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1,以及仅订阅主题筛选条件 some/+/topic。资源 ARN 中的 topicfilter/some/+/topic 的说明,+ 被视为适用于 MQTT 客户端的 Amazon IoT Core 策略中的文字字符串,这意味着只有字符串 some/+/topic 匹配主题筛选条件。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some/+/topic" ] } ] }

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1 连接到 Amazon IoT Core ,以及仅订阅主题筛选条件 some/+/topic。资源 ARN 中的 topicfilter/some/*/topic 说明,* 将被视为适用于 MQTT 客户端的 Amazon IoT Core 策略中的通配符,这意味着包含该字符的级别中的任何字符串都与主题筛选条件匹配。(预计这些主题可能为 some/string1/topicsome/string2/topic 等)

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some/*/topic" ] } ] }
注意

MQTT 通配符 +# 在适用于 MQTT 客户端的 Amazon IoT Core 策略中被视为文字字符串。要在适用于 MQTT 客户端的 Amazon IoT Core 策略中指定主题名称和主题筛选条件中的通配符,您必须使用 *

Registered devices (7)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以通过将设备的事物名称用作客户端 ID 来连接到 Amazon IoT Core 以及订阅主题 my/topicmy/othertopic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic", "arn:aws:iot:us-east-1:123456789012:topicfilter/my/othertopic" ] } ] }
Unregistered devices (7)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1 以及订阅主题 my/topicmy/othertopic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic", "arn:aws:iot:us-east-1:123456789012:topicfilter/my/othertopic" ] } ] }
Registered devices (8)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以通过将设备的事物名称用作客户端 ID 来连接到 Amazon IoT Core ,以及订阅对该事物名称/客户端 ID 唯一的主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:Thing.ThingName}" ] } ] }
Unregistered devices (8)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1 以及发布到对该客户端 ID 唯一的主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:ClientId}" ] } ] }
Registered devices (9)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以通过将设备的事物名称用作客户端 ID 来连接到 Amazon IoT Core ,以及发布到前缀为该事物名称或客户端的任何主题(以 bar 结尾的主题除外):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/bar" ] } ] }
Unregistered devices (9)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 和 client1 连接到 client1,以及发布到前缀为用于连接的客户端 ID 的任何主题(以 bar 结尾的主题除外):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/bar" ] } ] }
Registered devices (10)

对于在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以通过将设备的事物名称用作客户端 ID 来连接到 Amazon IoT Core 。设备可以订阅主题 my/topic,但无法发布到 thing-name /bar,其中 thing-name 是连接到 Amazon IoT Core 的 IoT 事物的名称:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/bar" ] } ] }
Unregistered devices (10)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1 以及订阅主题 my/topic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] } ] }

当证书或经过身份验证的 Amazon Cognito Identity 附加到事物时,事物策略变量也将被替换。以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1 以及发布到和接收主题 iotmonitor/provisioning/987654321098。此外,它还允许证书持有者订阅此主题。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/987654321098" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/987654321098" ] } ] }

适用于 HTTP 和 WebSocket 客户端的策略

Amazon Cognito 身份可以是经过身份验证的,也可以是未经身份验证的。经过身份验证的身份属于已通过任何受支持的身份提供商进行身份验证的用户。未经身份验证的身份通常属于未使用身份提供商进行身份验证的来宾用户。Amazon Cognito 提供了一个唯一的标识符和 Amazon 凭证以支持未经身份验证的身份。

对于以下操作, Amazon IoT Core 使用附加到 Amazon Cognito 身份(通过 AttachPolicy API)的 Amazon IoT Core 策略缩小附加到 Amazon Cognito Identity 池(由经过身份验证的身份组成)的权限范围。

  • iot:Connect

  • iot:Publish

  • iot:Subscribe

  • iot:Receive

  • iot:GetThingShadow

  • iot:UpdateThingShadow

  • iot:DeleteThingShadow

这意味着,Amazon Cognito 身份需要从附加到池的 IAM 角色策略以及通过 Amazon IoT Core AttachPolicy API附加到 Amazon Cognito Identity 附加到 Amazon IoT Core 策略处获得权限。

经过身份验证和未经身份验证的用户是不同的身份类型。如果您没有将 Amazon IoT 策略附加到 Amazon Cognito Identity,则经过身份验证的用户无法在 Amazon IoT 中获得授权并无权访问 Amazon IoT 资源和操作。

注意

对于其他 Amazon IoT Core 操作或未经身份验证的身份, Amazon IoT Core 不会缩小附加到 Amazon Cognito 身份池角色的权限范围。无论是对于经过身份验证的身份还是未经过身份验证的身份,这都是我们建议附加到 Amazon Cognito 池角色的最宽松的策略。

HTTP

要允许未经过身份验证的 Amazon Cognito 身份通过 HTTP 向特定于 Amazon Cognito Identity 的主题发布消息,请将以下策略附加到 Amazon Cognito Identity 池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户执行此操作,请使用 Amazon IoT Core AttachPolicy API 将之前的策略附加到 Amazon Cognito Identity 池角色和 Amazon Cognito Identity。

注意

在向 Amazon Cognito 身份授权时, Amazon IoT Core 会考虑这两个策略并授予指定的最小权限。仅当两个策略都允许请求的操作时,才允许操作。如果任一策略不允许某项操作,则该操作未经授权。

MQTT

要允许未经过身份验证的 Amazon Cognito 身份通过 WebSocket 向特定于账户中的 Amazon Cognito Identity 的主题发布 MQTT 消息,请将以下 IAM 策略附加到 Amazon Cognito Identity 池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] }, { "Effect": "Allow", "Action": [ "iot:Connect", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户执行此操作,请使用 Amazon IoT Core AttachPolicy API 将之前的策略附加到 Amazon Cognito Identity 池角色和 Amazon Cognito Identity。

注意

在向 Amazon Cognito 身份授权时, Amazon IoT Core 会考虑这两个策略并授予指定的最小权限。仅当两个策略都允许请求的操作时,才允许操作。如果任一策略不允许某项操作,则该操作未经授权。

接收策略示例

Registered devices (11)

对于在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core 以及订阅和接收有关 my/topic 主题的消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic" ] } ] }
Unregistered devices (11)

对于未在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1 以及订阅和接收有关某个主题的消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/client1"] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic" ] } ] }