我无法弄清楚如何限制用户(使用临时安全凭证)仅订阅 aws IOT 上提供的主题。
我可以使用这些临时安全凭证连接到 aws iot,但无法发布或订阅。
以下是我在节点 js 中尝试做的事情。
/*
background information:
i have allowed all services of iot to this user in aws iam.
"iot:*". with this if i do not include Policy to
sts.assumeRole() eveything works, i am subscribed and able to publish.
But if i include a policy with sts.assumeRole i am unable to
subscribe or publish.
Error event of aws-iot-device-sdk.device() never gets called.
*/
var deviceSdk = require('aws-iot-device-sdk');
var devic;
var sts = new aws.STS(MyAWSCredentials);
var policy = {
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "*"
},
var assumeRoleParams = {
Policy : JSON.stringify(policy),
RoleArn : 'arn:aws:iam::226488****:role/assumedRole',
RoleSessionName : 'ash'
};
sts.assumeRole(assumeRoleParams, function (err,data){
// here we successfully get Credentials.
devic = deviceSdk.device({
region : 'us-east-1',
protocol : 'wss',
accessKeyId : data.Credentials.AccessKeyId,
secretKey : data.Credentials.SecretAccessKey,
sessionToken : data.Credentials.SessionToken,
port : 443,
host : 'a2ytgeipo****.iot.us-east-1.amazonaws.com'
});
devic.on('connect',function (){
console.log("connected");
devic.subscribe('topic2');
setTimeout(function (){
devic.publish('topic2',JSON.stringify({msg : "here i come"}));
// console.log("published");
},1000);
});
devic.on('message',function (topic,payload){
console.log(topic);
console.log(payload.toString());
});
devic.on('error', function (err){
// never gets called.
console.log(err);
});
});