AWS IoT permission policy for user authenticated with Cognito UserPool and Cognito IdentityPool

As stated in docs (https://docs.aws.amazon.com/iot/latest/developerguide/connect-and-pub.html)

For devices not registered as things in the AWS IoT Core registry, the
following policy grants permission to connect to AWS IoT Core with
client ID client1 and restricts the device to publishing on a
clientID-specific MQTT topic:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action":["iot:Publish"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}"]
      },
      {
        "Effect": "Allow",
        "Action": ["iot:Connect"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:client/client1"]
      }
    ]
}

Now I have a user authenticated with a Cognito user pool (by the hosted-ui). The user comes back to my webapp (frontend) and I use the id_token (returned by the hosted-ui redirect) with AWS.CognitoIdentityCredentials() class to get back a temporary key/secret/etc..

So that my AWS.config.credentials.identityId has valid value.

How should I update the policy to allow the logged user to connect/publish to a “abc” topic?

I tried replacing the ${iot:ClientId} and client1 (sample values) with:

  1. the user pool id,
  2. the webapp clientId,
  3. the user id (that would make sense to me)…

but without success ;( .