本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 发布/订阅策略示例
您使用的策略取决于您的连接方式 AWS IoT Core。您可以使用 MQTT 客户端、HTTP 或 WebSocket。 AWS IoT Core 通过 MQTT 客户端连接时,将使用 X.509 证书进行身份验证。当你通过 HTTP 或 WebSocket 协议连接时,你就是在使用签名版本 4 和 Amazon Cognito 进行身份验证。
**注意**
对于注册的设备,我们建议您将[事物策略变量](thing-policy-variables.md)用于 `Connect` 操作,并将事物附加到用于连接的主体。
**Topics**
+ [在 MQTT 和策略中使用通配符 AWS IoT Core](#pub-sub-policy-cert)
+ [发布、订阅和接收消息的政策( to/from 特定主题)](#pub-sub-specific-topic)
+ [发布、订阅和接收带有特定前缀的消息 to/from 主题的政策](#pub-sub-policy-specific-topic-prefix)
+ [发布、订阅和接收特定于每台设备的消息 to/from 主题的政策](#pub-sub-specific-topic-device)
+ [发布、订阅和接收消息 to/from 主题的策略,主题名称中包含事物属性的主题](#pub-sub-topic-attribute)
+ [拒绝向主题名称的子主题发布消息的策略](#pub-sub-deny-publish)
+ [拒绝接收来自主题名称的子主题的消息的策略](#pub-sub-deny-receive)
+ [使用 MQTT 通配符订阅主题的策略](#pub-sub-topic-wildcard)
+ [适用于 HTTP 和 WebSocket 客户端的策略](#pub-sub-policy-cognito)
## 在 MQTT 和策略中使用通配符 AWS IoT Core
MQTT 和 AWS IoT Core 策略具有不同的通配符,您应在仔细考虑后选择它们。在 MQTT 中,在 M [QTT 主题过滤器中使用通配符`+`和`#`来订阅多个主题](https://docs.aws.amazon.com/iot/latest/developerguide/topics.html#topicfilters)名称。 AWS IoT Core 策略使用`*`和`?`作为通配符并遵守 [IAM 策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-json)的惯例。在策略文档中,`*` 表示字符的任意组合,问号 `?` 表示任何单个字符。在策略文档中,MQTT 通配符 `+` 和 `#` 被视为没有特殊意义的字符。要在策略的 `resource` 属性中描述多个主题名称和主题筛选条件,请使用 `*` 和 `?` 通配符代替 MQTT 通配符。
如果选择要在策略文档中使用的通配符,请考虑 `*` 字符不限于单个主题级别。在 MQTT 主题筛选器中,`+` 角色仅限于单个主题级别。为了帮助将通配符规范限制为单个 MQTT 主题筛选条件级别,请考虑使用多个 `?` 字符。有关在策略资源中使用通配符的更多信息以及通配符匹配内容的更多示例,请参阅在资源[中使用通配符](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_resource.html#reference_policies_elements_resource_wildcards)。 ARNs
下表显示了 MQTT 和 MQTT 客户端的 AWS IoT Core 策略中使用的不同通配符。
| 通配符 | 是 MQTT 通配符 | MQTT 中的示例 | 是 AWS IoT Core 策略通配符吗 | MQTT AWS IoT Core 客户端策略中的示例 |
| --- | --- | --- | --- | --- |
| \$1 | 是 | some/\$1 | 否 | 不适用 |
| \$1 | 是 | some/\$1/topic | 否 | 不适用 |
| \$1 | 否 | 不适用 | 是 | `topicfilter/some/*/topic` `topicfilter/some/sensor*/topic` |
| ? | 否 | 不适用 | 是 | `topic/some/?????/topic` `topicfilter/some/sensor???/topic` |
## 发布、订阅和接收消息的政策( to/from 特定主题)
以下是注册和未注册设备发布、订阅和接收名为 “some\$1specific\$1topic” 主题 to/from 的消息的示例。这些示例还强调了 `Publish` 和 `Receive` 使用“主题”作为资源,`Subscribe` 使用“主题筛选器”作为资源。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。它还为名为“some\$1specific\$1topic”的主题提供 `Publish`、`Subscribe` 和 `Receive` 权限。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/some_specific_topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic"
]
}
]
}
```
------
#### [ Unregistered devices ]
对于未在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用 clientID1、clientID2 或 clientID3 进行连接。它还为名为“some\$1specific\$1topic”的主题提供 `Publish`、`Subscribe` 和 `Receive` 权限。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/clientId1",
"arn:aws:iot:us-east-1:123456789012:client/clientId2",
"arn:aws:iot:us-east-1:123456789012:client/clientId3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/some_specific_topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/some_specific_topic"
]
}
]
}
```
------
## 发布、订阅和接收带有特定前缀的消息 to/from 主题的政策
以下是注册和未注册设备发布、订阅和接收以 “topic\$1prefix” 为前缀的消息 to/from 主题的示例。
**注意**
请注意此示例中通配符 `*` 的使用。尽管 `*` 对于在单个语句中为多个主题名称提供权限很有用,但它给设备提供的权限可能比所需权限更多,从而导致意想不到的后果。因此,我们建议您要经过深思熟虑后再使用通配符 `*`。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。它还会为具有前缀“topic\$1prefix”的主题提供 `Publish`、`Subscribe` 和 `Receive` 权限。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/topic_prefix*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix*"
]
}
]
}
```
------
#### [ Unregistered devices ]
对于未在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用 clientID1、clientID2 或 clientID3 进行连接。它还会为具有前缀“topic\$1prefix”的主题提供 `Publish`、`Subscribe` 和 `Receive` 权限。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/clientId1",
"arn:aws:iot:us-east-1:123456789012:client/clientId2",
"arn:aws:iot:us-east-1:123456789012:client/clientId3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/topic_prefix*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix*"
]
}
]
}
```
------
## 发布、订阅和接收特定于每台设备的消息 to/from 主题的政策
以下是已注册和未注册设备发布、订阅和接收特定于给定设备的消息 to/from 主题的示例。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。它提供向特定事物主题 (`sensor/device/${iot:Connection.Thing.ThingName}`) 发布内容的权限,还提供订阅特定事物主题 (`command/device/${iot:Connection.Thing.ThingName}`) 和从特定事物主题接收内容的权限。如果注册表中的事物名称为 “thing1”,则设备将能够发布到主题 “sensor/device/thing1". The device will also be able to subscribe to and receive from the topic "command/device/thing1”。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/sensor/device/${iot:Connection.Thing.ThingName}"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/command/device/${iot:Connection.Thing.ThingName}"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/command/device/${iot:Connection.Thing.ThingName}"
]
}
]
}
```
------
#### [ Unregistered devices ]
对于未在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用 clientID1、clientID2 或 clientID3 进行连接。它提供发布到客户特定主题 (`sensor/device/${iot:ClientId}`) 的权限,还提供订阅客户特定主题 (`command/device/${iot:ClientId}`) 和从此客户特定主题接收内容的权限。如果设备以 clientId1 的身份与 clientId 连接,则它将能够发布到主题 “1”。sensor/device/clientId该设备还将能够订阅和接收 `device/clientId1/command` 主题的内容。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/clientId1",
"arn:aws:iot:us-east-1:123456789012:client/clientId2",
"arn:aws:iot:us-east-1:123456789012:client/clientId3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/sensor/device/${iot:Connection.Thing.ThingName}"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/command/device/${iot:Connection.Thing.ThingName}"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/command/device/${iot:Connection.Thing.ThingName}"
]
}
]
}
```
------
## 发布、订阅和接收消息 to/from 主题的策略,主题名称中包含事物属性的主题
下面显示了注册设备发布、订阅和接收名称包含事物属性的消息 to/from 主题的示例。
**注意**
仅在 AWS IoT Core 注册表中注册的设备存在事物属性。对于未注册的设备,没有相应的示例。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。它提供发布到主题 (`sensor/${iot:Connection.Thing.Attributes[version]}`),以及订阅主题名称中包含事物属性的主题 (`command/${iot:Connection.Thing.Attributes[location]}`) 和从该主题接收内容的权限。如果注册表中的事物名称`version=v1`包含和`location=Seattle`,则设备将能够发布到主题 “sensor/v1", and subscribe to and receive from the topic "command/Seattle”。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/sensor/${iot:Connection.Thing.Attributes[version]}"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/command/${iot:Connection.Thing.Attributes[location]}"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/command/${iot:Connection.Thing.Attributes[location]}"
]
}
]
}
```
------
#### [ Unregistered devices ]
由于仅在 AWS IoT Core 注册表中注册的设备存在事物属性,因此未注册的事物没有相应的示例。
------
## 拒绝向主题名称的子主题发布消息的策略
以下显示的是已注册和未注册的设备向除某些子主题之外的所有主题发布消息的示例。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。它允许发布到所有以“department/”为前缀的主题,但不允许发布到“department/admins”子主题。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/department/*"
]
},
{
"Effect": "Deny",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/department/admins"
]
}
]
}
```
------
#### [ Unregistered devices ]
对于未在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用 clientID1、clientID2 或 clientID3 进行连接。它允许发布到所有以“department/”为前缀的主题,但不允许发布到“department/admins”子主题。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/clientId1",
"arn:aws:iot:us-east-1:123456789012:client/clientId2",
"arn:aws:iot:us-east-1:123456789012:client/clientId3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/department/*"
]
},
{
"Effect": "Deny",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/department/admins"
]
}
]
}
```
------
## 拒绝接收来自主题名称的子主题的消息的策略
以下显示的是已注册和未注册的设备订阅除某些子主题之外具有特定前缀的主题,以及从此类主题接收消息的示例。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。此策略允许设备订阅任何具有前缀“topic\$1prefix”的主题。通过`NotResource`在的语句中使用`iot:Receive`,我们允许设备接收来自设备已订阅的所有主题的消息,但以 “to prefix/restricted". For example, with this policy, devices can subscribe to "topic\$1prefix/topic1" and even "topic\$1prefix/restricted", however, they will only receive messages from the topic "topic\$1prefix/topic1" and no messages from the topic "topic\$1prefix/restricted pic\$1” 为前缀的主题除外。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"NotResource": "arn:aws:iot:us-east-1:123456789012:topic/topic_prefix/restricted/*"
}
]
}
```
------
#### [ Unregistered devices ]
对于未在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用 clientID1、clientID2 或 clientID3 进行连接。此策略允许设备订阅任何具有前缀“topic\$1prefix”的主题。通过`NotResource`在的语句中使用`iot:Receive`,我们允许设备接收来自设备已订阅的所有主题的消息,但前缀为 “to prefix/restricted". For example, with this policy, devices can subscribe to "topic\$1prefix/topic1" and even "topic\$1prefix/restricted". However, they will only receive messages from the topic "topic\$1prefix/topic1" and no messages from the topic "topic\$1prefix/restricted pic\$1” 的主题除外。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/clientId1",
"arn:aws:iot:us-east-1:123456789012:client/clientId2",
"arn:aws:iot:us-east-1:123456789012:client/clientId3"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/topic_prefix/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"NotResource": "arn:aws:iot:us-east-1:123456789012:topic/topic_prefix/restricted/*"
}
]
}
```
------
## 使用 MQTT 通配符订阅主题的策略
MQTT 通配符 \$1 和 \$1 被视为文字字符串,但在策略中使用时不会将其视为通配符。 AWS IoT Core 在 MQTT 中,\$1 和 \$1 仅在订阅主题筛选器时被视为通配符,但在所有其他上下文中均被视为文字字符串。我们建议您仅在仔细考虑后才将这些 MQTT 通配符用作 AWS IoT Core 策略的一部分。
以下显示了在策略中使用 MQTT 通配符的已注册和未注册事物的示例。 AWS IoT Core 这些通配符被视为文字字符串。
------
#### [ Registered devices ]
对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用与注册表中事物名称匹配的 ClientID 进行连接。此策略允许设备订阅主题“部门/\$1/员工”和“位置/\$1”。由于 \$1 和 \$1 在 AWS IoT Core 策略中被视为文字字符串,因此设备可以订阅主题 “部门/\$1/员工”,但也不能订阅主题 “”。department/engineering/employees". Similarly, devices can subscribe to the topic "location/\$1" but not to the topic "location/Seattle". However, once the device subscribes to the topic "department/\$1/employees", the policy will allow them to receive messages from the topic "department/engineering/employees". Similarly, once the device subscribes to the topic "location/\$1", they will receive messages from the topic "location/Seattle
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/department/+/employees"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/location/#"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:123456789012:topic/*"
}
]
}
```
------
#### [ Unregistered devices ]
对于未在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用 clientID1、clientID2 或 clientID3 进行连接。此策略允许设备订阅主题“部门/\$1/员工”和“位置/\$1”。由于 \$1 和 \$1 在 AWS IoT Core 策略中被视为文字字符串,因此设备可以订阅主题 “部门/\$1/员工”,但也不能订阅主题 “”。department/engineering/employees". Similarly, devices can subscribe to the topic "location/\$1" but not "location/Seattle". However, once the device subscribes to the topic "department/\$1/employees", the policy will allow them to receive messages from the topic "department/engineering/employees". Similarly, once the device subscribes to the topic "location/\$1", they will receive messages from the topic "location/Seattle
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/clientId1",
"arn:aws:iot:us-east-1:123456789012:client/clientId2",
"arn:aws:iot:us-east-1:123456789012:client/clientId3"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/department/+/employees"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:123456789012:topicfilter/location/#"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:123456789012:topic/*"
}
]
}
```
------
## 适用于 HTTP 和 WebSocket 客户端的策略
当你通过 HTTP 或 WebSocket 协议连接时,你就是在使用签名版本 4 和 Amazon Cognito 进行身份验证。Amazon Cognito Identity 可以是经过身份验证的,也可以是未经身份验证的。经过身份验证的身份属于已通过任何受支持的身份提供商进行身份验证的用户。未经身份验证的身份通常属于未使用身份提供商进行身份验证的来宾用户。Amazon Cognito 提供了唯一标识符和 AWS 凭证来支持未经身份验证的身份。有关更多信息,请参阅 [使用 Amazon Cognito Identity 的授权](cog-iot-policies.md)。
对于以下操作, AWS IoT Core 使用通过 API 附加到 Amazon Cognito 身份的 AWS IoT Core `AttachPolicy`策略。这将缩小附加到由经过身份验证的身份组成的 Amazon Cognito Identity 池的权限范围。
+ `iot:Connect`
+ `iot:Publish`
+ `iot:Subscribe`
+ `iot:Receive`
+ `iot:GetThingShadow`
+ `iot:UpdateThingShadow`
+ `iot:DeleteThingShadow`
这就表示,Amazon Cognito Identity 需要从 IAM 角色策略和 AWS IoT Core 策略获得权限。您可以通过 API 将 IAM 角色策略附加到池中,将 AWS IoT Core 策略附加到 Amazon Cognito 身份。 AWS IoT Core `AttachPolicy`
经过身份验证和未经身份验证的用户是不同的身份类型。如果您未将 AWS IoT 策略附加到 Amazon Cognito Identity,则经过身份验证的用户将无法在中进行授权, AWS IoT 并且无法访问 AWS IoT 资源和操作。
**注意**
对于其他 AWS IoT Core 操作或未经身份验证的身份, AWS IoT Core 不会缩小附加到 Amazon Cognito 身份池角色的权限范围。无论是对于经过身份验证的身份还是未经过身份验证的身份,这都是我们建议附加到 Amazon Cognito 池角色的最宽松的策略。
**HTTP**
要允许未经过身份验证的 Amazon Cognito Identity 通过 HTTP 向特定于 Amazon Cognito Identity 的主题发布消息,请将以下 IAM 策略附加到 Amazon Cognito Identity 池角色:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"
]
}
]
}
```
要允许经过身份验证的用户,请使用 API 将上述策略附加到 Amazon Cognito 身份池角色和亚马逊 Cognito 身份。 AWS IoT Core [AttachPolicy](https://docs.aws.amazon.com//iot/latest/apireference/API_AttachPolicy.html)
**注意**
在授权 Amazon Cognito 身份时 AWS IoT Core ,会考虑这两个策略并授予指定的最低权限。仅当两个策略都允许请求的操作时,才允许操作。如果任一策略不允许某项操作,则该操作未经授权。
**MQTT**
要允许未经身份验证的 Amazon Cognito 身份发布有关您账户中特定 WebSocket 于亚马逊 Cognito 身份的主题的 MQTT 消息,请将以下 IAM 策略附加到 Amazon Cognito 身份池角色:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${cognito-identity.amazonaws.com:sub}"]
}
]
}
```
要允许经过身份验证的用户,请使用 API 将上述策略附加到 Amazon Cognito 身份池角色和亚马逊 Cognito 身份。 AWS IoT Core [AttachPolicy](https://docs.aws.amazon.com//iot/latest/apireference/API_AttachPolicy.html)
**注意**
在授权 Amazon Cognito 身份时 AWS IoT Core ,会同时考虑两者并授予指定的最低权限。仅当两个策略都允许请求的操作时,才允许操作。如果任一策略不允许某项操作,则该操作未经授权。