本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 如何 Amazon IoT 与 IAM 配合使用
在使用 IAM 管理访问权限之前 Amazon IoT,您应该了解哪些 IAM 功能可供使用 Amazon IoT。要全面了解如何 Amazon IoT 和其他 Amazon 服务与 IAM 配合使用,请参阅 IAM *用户指南中的与 IAM* [配合使用的Amazon 服务](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_aws-services-that-work-with-iam.html)。
**Topics**
+ [Amazon IoT 基于身份的策略](#security_iam_service-with-iam-id-based-policies)
+ [Amazon IoT 基于资源的政策](#security_iam_service-with-iam-resource-based-policies)
+ [基于 Amazon IoT 标签的授权](#security_iam_service-with-iam-tags)
+ [Amazon IoT IAM 角色](#security_iam_service-with-iam-roles)
## Amazon IoT 基于身份的策略
使用 IAM 基于身份的策略,您可以指定允许或拒绝的操作和资源,以及指定在什么条件下允许或拒绝操作。 Amazon IoT 支持特定操作、资源和条件键。要了解在 JSON 策略中使用的所有元素,请参阅《IAM 用户指南》** 中的 [IAM JSON 策略元素参考](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_policies_elements.html)。
### 操作
管理员可以使用 Amazon JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。
JSON 策略的 `Action` 元素描述可用于在策略中允许或拒绝访问的操作。在策略中包含操作以授予执行关联操作的权限。
下表列出了 IAM 物联网操作、关联 Amazon IoT 的 API 以及该操作所操纵的资源。
****
| 策略操作 | Amazon IoT API | 资源 |
| --- | --- | --- |
| 物联网:AcceptCertificateTransfer | AcceptCertificateTransfer | `arn:aws:iot:region:account-id:cert/cert-id` ARN 中 Amazon Web Services 账户 指定的必须是证书要转移到的账户。 |
| 物联网:AddThingToThingGroup | AddThingToThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:AssociateTargetsWithJob | AssociateTargetsWithJob | none |
| 物联网:AttachPolicy | AttachPolicy | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 或者 `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:AttachPrincipalPolicy | AttachPrincipalPolicy | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:AttachSecurityProfile | AttachSecurityProfile | `arn:aws:iot:region:account-id:securityprofile/security-profile-name` `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:AttachThingPrincipal | AttachThingPrincipal | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:CancelCertificateTransfer | CancelCertificateTransfer | `arn:aws:iot:region:account-id:cert/cert-id` ARN 中 Amazon Web Services 账户 指定的必须是证书要转移到的账户。 |
| 物联网:CancelJob | CancelJob | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:CancelJobExecution | CancelJobExecution | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ClearDefaultAuthorizer | ClearDefaultAuthorizer | 无 |
| 物联网:CreateAuthorizer | CreateAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-function-name` |
| 物联网:CreateCertificateFromCsr | CreateCertificateFromCsr | \$1 |
| 物联网:CreateDimension | CreateDimension | `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:CreateJob | CreateJob | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:thinggroup/thing-group-name` `arn:aws:iot:region:account-id:thing/thing-name` `arn:aws:iot:region:account-id:jobtemplate/job-template-id` |
| 物联网:CreateJobTemplate | CreateJobTemplate | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:jobtemplate/job-template-id` |
| 物联网:CreateKeysAndCertificate | CreateKeysAndCertificate | \$1 |
| 物联网:CreatePolicy | CreatePolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:CreatePolicyVersion | CreatePolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` 这必须是 Amazon IoT 策略,而不是 IAM 策略。 |
| 物联网:CreateRoleAlias | CreateRoleAlias | (参数:roleAlias) `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:CreateSecurityProfile | CreateSecurityProfile | `arn:aws:iot:region:account-id:securityprofile/security-profile-name` `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:CreateThing | CreateThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:CreateThingGroup | CreateThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 针对要创建的组和父组 (如果使用) |
| 物联网:CreateThingType | CreateThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:CreateTopicRule | CreateTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:DeleteAuthorizer | DeleteAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-name` |
| 物联网:删除 CACertificate | 删除 CACertificate | `arn:aws:iot:region:account-id:cacert/cert-id` |
| 物联网:DeleteCertificate | DeleteCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DeleteDimension | DeleteDimension | `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:DeleteJob | DeleteJob | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:DeleteJobTemplate | DeleteJobTemplate | `arn:aws:iot:region:account-id:job/job-template-id` |
| 物联网:DeleteJobExecution | DeleteJobExecution | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:DeletePolicy | DeletePolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:DeletePolicyVersion | DeletePolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:DeleteRegistrationCode | DeleteRegistrationCode | \$1 |
| 物联网:DeleteRoleAlias | DeleteRoleAlias | `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:DeleteSecurityProfile | DeleteSecurityProfile | `arn:aws:iot:region:account-id:securityprofile/security-profile-name` `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:DeleteThing | DeleteThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:DeleteThingGroup | DeleteThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DeleteThingType | DeleteThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:DeleteTopicRule | DeleteTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:deletev2 LoggingLevel | deleteV2 LoggingLevel | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DeprecateThingType | DeprecateThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:DescribeAuthorizer | DescribeAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-function-name` (参数:authorizerName) none |
| 物联网:描述 CACertificate | 描述 CACertificate | `arn:aws:iot:region:account-id:cacert/cert-id` |
| 物联网:DescribeCertificate | DescribeCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DescribeDefaultAuthorizer | DescribeDefaultAuthorizer | 无 |
| 物联网:DescribeEndpoint | DescribeEndpoint | \$1 |
| 物联网:DescribeEventConfigurations | DescribeEventConfigurations | none |
| 物联网:DescribeIndex | DescribeIndex | `arn:aws:iot:region:account-id:index/index-name` |
| 物联网:DescribeJob | DescribeJob | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:DescribeJobExecution | DescribeJobExecution | 无 |
| 物联网:DescribeJobTemplate | DescribeJobTemplate | `arn:aws:iot:region:account-id:job/job-template-id` |
| 物联网:DescribeRoleAlias | DescribeRoleAlias | `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:DescribeThing | DescribeThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:DescribeThingGroup | DescribeThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DescribeThingRegistrationTask | DescribeThingRegistrationTask | 无 |
| 物联网:DescribeThingType | DescribeThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:DetachPolicy | DetachPolicy | `arn:aws:iot:region:account-id:cert/cert-id` 或者 `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DetachPrincipalPolicy | DetachPrincipalPolicy | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DetachSecurityProfile | DetachSecurityProfile | `arn:aws:iot:region:account-id:securityprofile/security-profile-name` `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:DetachThingPrincipal | DetachThingPrincipal | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DisableTopicRule | DisableTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:EnableTopicRule | EnableTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:GetEffectivePolicies | GetEffectivePolicies | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:GetIndexingConfiguration | GetIndexingConfiguration | 无 |
| 物联网:GetJobDocument | GetJobDocument | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:GetLoggingOptions | GetLoggingOptions | \$1 |
| 物联网:GetPolicy | GetPolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:GetPolicyVersion | GetPolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:GetRegistrationCode | GetRegistrationCode | \$1 |
| 物联网:GetTopicRule | GetTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:ListAttachedPolicies | ListAttachedPolicies | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 或者 `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:ListAuthorizers | ListAuthorizers | 无 |
| 物联网:列表 CACertificates | 名单 CACertificates | \$1 |
| 物联网:ListCertificates | ListCertificates | \$1 |
| 物联网:ListCertificatesByCA | ListCertificatesByCA | \$1 |
| 物联网:ListIndices | ListIndices | 无 |
| 物联网:ListJobExecutionsForJob | ListJobExecutionsForJob | 无 |
| 物联网:ListJobExecutionsForThing | ListJobExecutionsForThing | 无 |
| 物联网:ListJobs | ListJobs | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 如果使用 thingGroupName 参数 |
| 物联网:ListJobTemplates | ListJobs | 无 |
| 物联网:ListOutgoingCertificates | ListOutgoingCertificates | \$1 |
| 物联网:ListPolicies | ListPolicies | \$1 |
| 物联网:ListPolicyPrincipals | ListPolicyPrincipals | \$1 |
| 物联网:ListPolicyVersions | ListPolicyVersions | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:ListPrincipalPolicies | ListPrincipalPolicies | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:ListPrincipalThings | ListPrincipalThings | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:ListRoleAliases | ListRoleAliases | 无 |
| 物联网:ListTargetsForPolicy | ListTargetsForPolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:ListThingGroups | ListThingGroups | 无 |
| 物联网:ListThingGroupsForThing | ListThingGroupsForThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ListThingPrincipals | ListThingPrincipals | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ListThingRegistrationTaskReports | ListThingRegistrationTaskReports | 无 |
| 物联网:ListThingRegistrationTasks | ListThingRegistrationTasks | 无 |
| 物联网:ListThingTypes | ListThingTypes | \$1 |
| 物联网:ListThings | ListThings | \$1 |
| 物联网:ListThingsInThingGroup | ListThingsInThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:ListTopicRules | ListTopicRules | \$1 |
| IoT: listv2 LoggingLevels | Listv2 LoggingLevels | 无 |
| 物联网:注册 CACertificate | 注册 CACertificate | \$1 |
| 物联网:RegisterCertificate | RegisterCertificate | \$1 |
| 物联网:RegisterThing | RegisterThing | 无 |
| 物联网:RejectCertificateTransfer | RejectCertificateTransfer | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:RemoveThingFromThingGroup | RemoveThingFromThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ReplaceTopicRule | ReplaceTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:SearchIndex | SearchIndex | `arn:aws:iot:region:account-id:index/index-id` |
| 物联网:SetDefaultAuthorizer | SetDefaultAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-function-name` |
| 物联网:SetDefaultPolicyVersion | SetDefaultPolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:SetLoggingOptions | SetLoggingOptions | `arn:aws:iot:region:account-id:role/role-name` |
| IoT: setv2 LoggingLevel | setv2 LoggingLevel | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| IoT: setv2 LoggingOptions | setv2 LoggingOptions | `arn:aws:iot:region:account-id:role/role-name` |
| 物联网:StartThingRegistrationTask | StartThingRegistrationTask | 无 |
| 物联网:StopThingRegistrationTask | StopThingRegistrationTask | 无 |
| 物联网:TestAuthorization | TestAuthorization | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:TestInvokeAuthorizer | TestInvokeAuthorizer | 无 |
| 物联网:TransferCertificate | TransferCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:UpdateAuthorizer | UpdateAuthorizer | `arn:aws:iot:region:account-id:authorizerfunction/authorizer-function-name` |
| 物联网:更新 CACertificate | 更新 CACertificate | `arn:aws:iot:region:account-id:cacert/cert-id` |
| 物联网:UpdateCertificate | UpdateCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:UpdateDimension | UpdateDimension | `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:UpdateEventConfigurations | UpdateEventConfigurations | 无 |
| 物联网:UpdateIndexingConfiguration | UpdateIndexingConfiguration | 无 |
| 物联网:UpdateRoleAlias | UpdateRoleAlias | `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:UpdateSecurityProfile | UpdateSecurityProfile | `arn:aws:iot:region:account-id:securityprofile/security-profile-name` `arn:aws:iot:region:account-id:dimension/dimension-name` |
| 物联网:UpdateThing | UpdateThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:UpdateThingGroup | UpdateThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:UpdateThingGroupsForThing | UpdateThingGroupsForThing | `arn:aws:iot:region:account-id:thing/thing-name` `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
正在执行的策略操作在操作前 Amazon IoT 使用以下前缀:`iot:`. 例如,要授予某人列出他们 Amazon Web Services 账户 在 `ListThings` API 中注册的所有物联网事物的权限,您需要将该`iot:ListThings`操作包含在他们的策略中。策略声明必须包含`Action`或`NotAction`元素。 Amazon IoT 定义了自己的一组操作,这些操作描述了您可以使用此服务执行的任务。
要在单个语句中指定多项操作,请使用逗号将它们隔开,如下所示:
```
"Action": [
"ec2:action1",
"ec2:action2"
```
您也可以使用通配符 (\$1) 指定多个操作。例如,要指定以单词 `Describe` 开头的所有操作,包括以下操作:
```
"Action": "iot:Describe*"
```
要查看 Amazon IoT 操作列表,请参阅 *IAM 用户指南 Amazon IoT*中的[定义操作](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。
#### Device Advisor 操作
下表列出了 IAM物联网Device Advisor 操作、关联的 Amazon IoT Device Advisor API 以及操作处理的资源。
****
| 策略操作 | Amazon IoT API | 资源 |
| --- | --- | --- |
| iotdeviceAdvisor:CreateSuiteDefinition | CreateSuiteDefinition | 无 |
| iotdeviceAdvisor:DeleteSuiteDefinition | DeleteSuiteDefinition | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` |
| iotdeviceAdvisor:GetSuiteDefinition | GetSuiteDefinition | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` |
| iotdeviceAdvisor:GetSuiteRun | GetSuiteRun | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-run-id` |
| iotdeviceAdvisor:GetSuiteRunReport | GetSuiteRunReport | `arn:aws:iotdeviceadvisor:region:account-id:suiterun/suite-definition-id/suite-run-id` |
| iotdeviceAdvisor:ListSuiteDefinitions | ListSuiteDefinitions | 无 |
| iotdeviceAdvisor:ListSuiteRuns | ListSuiteRuns | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` |
| iotdeviceAdvisor:ListTagsForResource | ListTagsForResource | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` `arn:aws:iotdeviceadvisor:region:account-id:suiterun/suite-definition-id/suite-run-id` |
| iotdeviceAdvisor:StartSuiteRun | StartSuiteRun | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` |
| iotdeviceAdvisor:TagResource | TagResource | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` `arn:aws:iotdeviceadvisor:region:account-id:suiterun/suite-definition-id/suite-run-id` |
| iotdeviceAdvisor:UntagResource | UntagResource | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` `arn:aws:iotdeviceadvisor:region:account-id:suiterun/suite-definition-id/suite-run-id` |
| iotdeviceAdvisor:UpdateSuiteDefinition | UpdateSuiteDefinition | `arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id` |
| iotdeviceAdvisor:StopSuiteRun | StopSuiteRun | `arn:aws:iotdeviceadvisor:region:account-id:suiterun/suite-definition-id/suite-run-id` |
Amazon IoT 设备顾问中的策略操作在操作前使用以下前缀:`iotdeviceadvisor:`. 例如,要授予某人列出他们在 ListSuiteDefinitions API 中注册的所有套件定义 Amazon Web Services 账户 的权限,您需要将该`iotdeviceadvisor:ListSuiteDefinitions`操作包含在他们的策略中。
### 资源
管理员可以使用 Amazon JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。
`Resource` JSON 策略元素指定要向其应用操作的一个或多个对象。作为最佳实践,请使用其 [Amazon 资源名称(ARN)](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference-arns.html)指定资源。对于不支持资源级权限的操作,请使用通配符 (\$1) 指示语句应用于所有资源。
```
"Resource": "*"
```
**Amazon IoT 资源**
| 策略操作 | Amazon IoT API | 资源 |
| --- | --- | --- |
| 物联网:AcceptCertificateTransfer | AcceptCertificateTransfer | `arn:aws:iot:region:account-id:cert/cert-id` ARN 中 Amazon Web Services 账户 指定的必须是证书要转移到的账户。 |
| 物联网:AddThingToThingGroup | AddThingToThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:AssociateTargetsWithJob | AssociateTargetsWithJob | 无 |
| 物联网:AttachPolicy | AttachPolicy | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 或者 `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:AttachPrincipalPolicy | AttachPrincipalPolicy | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:AttachThingPrincipal | AttachThingPrincipal | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:CancelCertificateTransfer | CancelCertificateTransfer | `arn:aws:iot:region:account-id:cert/cert-id` ARN 中 Amazon Web Services 账户 指定的必须是证书要转移到的账户。 |
| 物联网:CancelJob | CancelJob | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:CancelJobExecution | CancelJobExecution | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ClearDefaultAuthorizer | ClearDefaultAuthorizer | 无 |
| 物联网:CreateAuthorizer | CreateAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-function-name` |
| 物联网:CreateCertificateFromCsr | CreateCertificateFromCsr | \$1 |
| 物联网:CreateJob | CreateJob | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:thinggroup/thing-group-name` `arn:aws:iot:region:account-id:thing/thing-name` `arn:aws:iot:region:account-id:jobtemplate/job-template-id` |
| 物联网:CreateJobTemplate | CreateJobTemplate | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:jobtemplate/job-template-id` |
| 物联网:CreateKeysAndCertificate | CreateKeysAndCertificate | \$1 |
| 物联网:CreatePolicy | CreatePolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| CreatePolicyVersion | 物联网:CreatePolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` 这必须是 Amazon IoT 策略,而不是 IAM 策略。 |
| 物联网:CreateRoleAlias | CreateRoleAlias | (参数:roleAlias) `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:CreateThing | CreateThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:CreateThingGroup | CreateThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 针对要创建的组和父组 (如果使用) |
| 物联网:CreateThingType | CreateThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:CreateTopicRule | CreateTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:DeleteAuthorizer | DeleteAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-name` |
| 物联网:删除 CACertificate | 删除 CACertificate | `arn:aws:iot:region:account-id:cacert/cert-id` |
| 物联网:DeleteCertificate | DeleteCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DeleteJob | DeleteJob | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:DeleteJobExecution | DeleteJobExecution | `arn:aws:iot:region:account-id:job/job-id` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:DeleteJobTemplate | DeleteJobTemplate | `arn:aws:iot:region:account-id:jobtemplate/job-template-id` |
| 物联网:DeletePolicy | DeletePolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:DeletePolicyVersion | DeletePolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:DeleteRegistrationCode | DeleteRegistrationCode | \$1 |
| 物联网:DeleteRoleAlias | DeleteRoleAlias | `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:DeleteThing | DeleteThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:DeleteThingGroup | DeleteThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DeleteThingType | DeleteThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:DeleteTopicRule | DeleteTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:deletev2 LoggingLevel | deleteV2 LoggingLevel | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DeprecateThingType | DeprecateThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:DescribeAuthorizer | DescribeAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-function-name` (参数:authorizerName) none |
| 物联网:描述 CACertificate | 描述 CACertificate | `arn:aws:iot:region:account-id:cacert/cert-id` |
| 物联网:DescribeCertificate | DescribeCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DescribeDefaultAuthorizer | DescribeDefaultAuthorizer | 无 |
| 物联网:DescribeEndpoint | DescribeEndpoint | \$1 |
| 物联网:DescribeEventConfigurations | DescribeEventConfigurations | none |
| 物联网:DescribeIndex | DescribeIndex | `arn:aws:iot:region:account-id:index/index-name` |
| 物联网:DescribeJob | DescribeJob | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:DescribeJobExecution | DescribeJobExecution | 无 |
| 物联网:DescribeJobTemplate | DescribeJobTemplate | `arn:aws:iot:region:account-id:jobtemplate/job-template-id` |
| 物联网:DescribeRoleAlias | DescribeRoleAlias | `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:DescribeThing | DescribeThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:DescribeThingGroup | DescribeThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DescribeThingRegistrationTask | DescribeThingRegistrationTask | 无 |
| 物联网:DescribeThingType | DescribeThingType | `arn:aws:iot:region:account-id:thingtype/thing-type-name` |
| 物联网:DetachPolicy | DetachPolicy | `arn:aws:iot:region:account-id:cert/cert-id` 或者 `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:DetachPrincipalPolicy | DetachPrincipalPolicy | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DetachThingPrincipal | DetachThingPrincipal | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:DisableTopicRule | DisableTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:EnableTopicRule | EnableTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:GetEffectivePolicies | GetEffectivePolicies | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:GetIndexingConfiguration | GetIndexingConfiguration | 无 |
| 物联网:GetJobDocument | GetJobDocument | `arn:aws:iot:region:account-id:job/job-id` |
| 物联网:GetLoggingOptions | GetLoggingOptions | \$1 |
| 物联网:GetPolicy | GetPolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:GetPolicyVersion | GetPolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:GetRegistrationCode | GetRegistrationCode | \$1 |
| 物联网:GetTopicRule | GetTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:ListAttachedPolicies | ListAttachedPolicies | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 或者 `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:ListAuthorizers | ListAuthorizers | 无 |
| 物联网:列表 CACertificates | 名单 CACertificates | \$1 |
| 物联网:ListCertificates | ListCertificates | \$1 |
| 物联网:ListCertificatesByCA | ListCertificatesByCA | \$1 |
| 物联网:ListIndices | ListIndices | 无 |
| 物联网:ListJobExecutionsForJob | ListJobExecutionsForJob | 无 |
| 物联网:ListJobExecutionsForThing | ListJobExecutionsForThing | 无 |
| 物联网:ListJobs | ListJobs | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` 如果使用 thingGroupName 参数 |
| 物联网:ListJobTemplates | ListJobTemplates | 无 |
| 物联网:ListOutgoingCertificates | ListOutgoingCertificates | \$1 |
| 物联网:ListPolicies | ListPolicies | \$1 |
| 物联网:ListPolicyPrincipals | ListPolicyPrincipals | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:ListPolicyVersions | ListPolicyVersions | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:ListPrincipalPolicies | ListPrincipalPolicies | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:ListPrincipalThings | ListPrincipalThings | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:ListRoleAliases | ListRoleAliases | 无 |
| 物联网:ListTargetsForPolicy | ListTargetsForPolicy | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:ListThingGroups | ListThingGroups | 无 |
| 物联网:ListThingGroupsForThing | ListThingGroupsForThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ListThingPrincipals | ListThingPrincipals | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ListThingRegistrationTaskReports | ListThingRegistrationTaskReports | 无 |
| 物联网:ListThingRegistrationTasks | ListThingRegistrationTasks | 无 |
| 物联网:ListThingTypes | ListThingTypes | \$1 |
| 物联网:ListThings | ListThings | \$1 |
| 物联网:ListThingsInThingGroup | ListThingsInThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:ListTopicRules | ListTopicRules | \$1 |
| IoT: listv2 LoggingLevels | Listv2 LoggingLevels | 无 |
| 物联网:注册 CACertificate | 注册 CACertificate | \$1 |
| 物联网:RegisterCertificate | RegisterCertificate | \$1 |
| 物联网:RegisterThing | RegisterThing | 无 |
| 物联网:RejectCertificateTransfer | RejectCertificateTransfer | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:RemoveThingFromThingGroup | RemoveThingFromThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:ReplaceTopicRule | ReplaceTopicRule | `arn:aws:iot:region:account-id:rule/rule-name` |
| 物联网:SearchIndex | SearchIndex | `arn:aws:iot:region:account-id:index/index-id` |
| 物联网:SetDefaultAuthorizer | SetDefaultAuthorizer | `arn:aws:iot:region:account-id:authorizer/authorizer-function-name` |
| 物联网:SetDefaultPolicyVersion | SetDefaultPolicyVersion | `arn:aws:iot:region:account-id:policy/policy-name` |
| 物联网:SetLoggingOptions | SetLoggingOptions | \$1 |
| IoT: setv2 LoggingLevel | setv2 LoggingLevel | \$1 |
| IoT: setv2 LoggingOptions | setv2 LoggingOptions | \$1 |
| 物联网:StartThingRegistrationTask | StartThingRegistrationTask | 无 |
| 物联网:StopThingRegistrationTask | StopThingRegistrationTask | 无 |
| 物联网:TestAuthorization | TestAuthorization | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:TestInvokeAuthorizer | TestInvokeAuthorizer | 无 |
| 物联网:TransferCertificate | TransferCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:UpdateAuthorizer | UpdateAuthorizer | `arn:aws:iot:region:account-id:authorizerfunction/authorizer-function-name` |
| 物联网:更新 CACertificate | 更新 CACertificate | `arn:aws:iot:region:account-id:cacert/cert-id` |
| 物联网:UpdateCertificate | UpdateCertificate | `arn:aws:iot:region:account-id:cert/cert-id` |
| 物联网:UpdateEventConfigurations | UpdateEventConfigurations | 无 |
| 物联网:UpdateIndexingConfiguration | UpdateIndexingConfiguration | 无 |
| 物联网:UpdateRoleAlias | UpdateRoleAlias | `arn:aws:iot:region:account-id:rolealias/role-alias-name` |
| 物联网:UpdateThing | UpdateThing | `arn:aws:iot:region:account-id:thing/thing-name` |
| 物联网:UpdateThingGroup | UpdateThingGroup | `arn:aws:iot:region:account-id:thinggroup/thing-group-name` |
| 物联网:UpdateThingGroupsForThing | UpdateThingGroupsForThing | `arn:aws:iot:region:account-id:thing/thing-name` |
有关格式的更多信息 ARNs,请参阅 [Amazon 资源名称 (ARNs) 和 Amazon 服务命名空间](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html)。
某些 Amazon IoT 操作(例如创建资源的操作)无法对特定资源执行。在这些情况下,您必须使用通配符(\$1)。
```
"Resource": "*"
```
要查看 Amazon IoT 资源类型及其列表 ARNs,请参阅 *IAM 用户指南 Amazon IoT*中的[由定义的资源](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiot.html#awsiot-resources-for-iam-policies)。要了解您可以在哪些操作中指定每个资源的 ARN,请参阅 [Amazon IoT定义的操作](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。
#### Device Advisor 资源
要为 Device Advisor IAM 策略定义资源级限制,请使用以下资源 ARN 格式来定义套件和套件运行。 Amazon IoT
套件定义资源 ARN 格式
`arn:aws:iotdeviceadvisor:region:account-id:suitedefinition/suite-definition-id`
套件运行资源 ARN 格式
`arn:aws:iotdeviceadvisor:region:account-id:suiterun/suite-definition-id/suite-run-id`
### 条件键
管理员可以使用 Amazon JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。
`Condition` 元素根据定义的条件指定语句何时执行。您可以创建使用[条件运算符](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)(例如,等于或小于)的条件表达式,以使策略中的条件与请求中的值相匹配。要查看所有 Amazon 全局条件键,请参阅 *IAM 用户指南*中的[Amazon 全局条件上下文密钥](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html)。
Amazon IoT 定义自己的条件键集,还支持使用一些全局条件键。要查看所有 Amazon 全局条件键,请参阅 *IAM 用户指南*中的[Amazon 全局条件上下文密钥](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_policies_condition-keys.html)。
**Amazon IoT 条件键**
| Amazon IoT 条件键 | 描述 | Type |
| --- | --- | --- |
| aws:RequestTag/\$1\$1tag-key\$1 | 用户向 Amazon IoT发出的请求中包含的标签键。 | 字符串 |
| aws:ResourceTag/\$1\$1tag-key\$1 | 附加到 Amazon IoT 资源的标签的标签密钥组件。 | 字符串 |
| aws:TagKeys | 与请求中的资源关联的所有标签键名称的列表。 | 字符串 |
要查看 Amazon IoT 条件键列表,请参阅 *IAM 用户指南 Amazon IoT*中的[条件密钥](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiot.html#awsiot-policy-keys)。要了解您可以使用条件键的操作和资源,请参阅[操作定义者 Amazon IoT](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。
### 示例
要查看 Amazon IoT 基于身份的策略的示例,请参阅。[Amazon IoT 基于身份的策略示例](security_iam_id-based-policy-examples.md)
## Amazon IoT 基于资源的政策
基于资源的策略是 JSON 策略文档,用于指定委托人可以在哪些条件下对 Amazon IoT 资源执行哪些操作。
Amazon IoT 不支持基于 IAM 资源的策略。但是,它确实支持 Amazon IoT 基于资源的政策。有关更多信息,请参阅 [Amazon IoT Core 政策](iot-policies.md)。
## 基于 Amazon IoT 标签的授权
您可以为 Amazon IoT 资源附加标签或在请求中传递标签 Amazon IoT。要基于标签控制访问,您需要使用 `iot:ResourceTag/key-name``aws:RequestTag/key-name` 或 `aws:TagKeys` 条件键在策略的[条件元素](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_policies_elements_condition.html)中提供标签信息。有关更多信息,请参阅 [在 IAM 策略中使用标签](tagging-iot-iam.md)。有关为 Amazon IoT 资源添加标签的更多信息,请参阅[为资源添加 Amazon IoT 标签](tagging-iot.md)。
要查看基于身份的策略(用于根据资源上的标签来限制对该资源的访问)的示例,请参阅[根据标签查看 Amazon IoT 资源](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-thing-tags)。
## Amazon IoT IAM 角色
I [AM 角色](https://docs.amazonaws.cn/service-authorization/latest/reference/id_roles.html)是您内部具有特定权限 Amazon Web Services 账户 的实体。
### 将临时凭证与 Amazon IoT
可以使用临时凭证进行联合身份验证登录,分派 IAM 角色或分派跨账户角色。您可以通过调用[AssumeRole](https://docs.amazonaws.cn/STS/latest/APIReference/API_AssumeRole.html)或之类的 Amazon STS API 操作来获取临时安全证书[GetFederationToken](https://docs.amazonaws.cn/STS/latest/APIReference/API_GetFederationToken.html)。
Amazon IoT 支持使用临时证书。
### 服务关联角色
[服务相关角色](https://docs.amazonaws.cn/service-authorization/latest/reference/id_roles_terms-and-concepts.html#iam-term-service-linked-role)允许 Amazon 服务访问其他服务中的资源以代表您完成操作。服务关联角色显示在 IAM 账户中,并归该服务所有。IAM 管理员可以查看但不能编辑服务关联角色的权限。
Amazon IoT 不支持服务相关角色。
### 服务角色
此功能允许服务代表您担任[服务角色](https://docs.amazonaws.cn/service-authorization/latest/reference/id_roles_terms-and-concepts.html#iam-term-service-role)。此角色允许服务访问其他服务中的资源以代表您完成操作。服务角色显示在 IAM 账户中,并归该账户所有。这意味着,IAM 管理员可以更改该角色的权限。但是,这样做可能会中断服务的功能。