As stated in docs (https://docs.aws.amazon.com/iot/latest/developerguide/connect-and-pub.html)
For devices not registered as things in the AWS IoT Core registry, the
following policy grants permission to connect to AWS IoT Core with
client ID client1 and restricts the device to publishing on a
clientID-specific MQTT topic:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":["iot:Publish"],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}"]
},
{
"Effect": "Allow",
"Action": ["iot:Connect"],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/client1"]
}
]
}
Now I have a user authenticated with a Cognito user pool (by the hosted-ui). The user comes back to my webapp (frontend) and I use the id_token
(returned by the hosted-ui redirect) with AWS.CognitoIdentityCredentials()
class to get back a temporary key/secret/etc..
So that my AWS.config.credentials.identityId
has valid value.
How should I update the policy to allow the logged user to connect/publish to a “abc” topic?
I tried replacing the ${iot:ClientId}
and client1
(sample values) with:
- the
user pool id
, - the webapp
clientId
, - the
user id
(that would make sense to me)…
but without success ;( .