本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 如何 AWS IoT 与 IAM 配合使用
<a name="security_iam_service-with-iam"></a>

在使用 IAM 管理访问权限之前 AWS IoT，您应该了解哪些 IAM 功能可供使用 AWS IoT。要全面了解如何 AWS IoT 和其他 AWS 服务与 IAM 配合使用，请参阅 IAM *用户指南中的与 IAM* [配合使用的AWS 服务](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_aws-services-that-work-with-iam.html)。

**Topics**
+ [AWS IoT 基于身份的策略](#security_iam_service-with-iam-id-based-policies)
+ [AWS IoT 基于资源的政策](#security_iam_service-with-iam-resource-based-policies)
+ [基于 AWS IoT 标签的授权](#security_iam_service-with-iam-tags)
+ [AWS IoT IAM 角色](#security_iam_service-with-iam-roles)

## AWS IoT 基于身份的策略
<a name="security_iam_service-with-iam-id-based-policies"></a>

使用 IAM 基于身份的策略，您可以指定允许或拒绝的操作和资源，以及指定在什么条件下允许或拒绝操作。 AWS IoT 支持特定操作、资源和条件键。要了解在 JSON 策略中使用的所有元素，请参阅《IAM 用户指南》** 中的 [IAM JSON 策略元素参考](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_elements.html)。

### 操作
<a name="security_iam_service-with-iam-id-based-policies-actions"></a>

管理员可以使用 AWS JSON 策略来指定谁有权访问什么。也就是说，哪个**主体**可以对什么**资源**执行**操作**，以及在什么**条件**下执行。

JSON 策略的 `Action` 元素描述可用于在策略中允许或拒绝访问的操作。在策略中包含操作以授予执行关联操作的权限。

下表列出了 IAM 物联网操作、关联 AWS IoT 的 API 以及该操作所操纵的资源。


****  

| 策略操作 | AWS IoT API | 资源 | 
| --- | --- | --- | 
| 物联网：AcceptCertificateTransfer | AcceptCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 账户 指定的必须是证书要转移到的账户。  | 
| 物联网：AddThingToThingGroup | AddThingToThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：AssociateTargetsWithJob | AssociateTargetsWithJob | none  | 
| 物联网：AttachPolicy | AttachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或者<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：AttachPrincipalPolicy | AttachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：AttachSecurityProfile | AttachSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：AttachThingPrincipal | AttachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：CancelCertificateTransfer | CancelCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 账户 指定的必须是证书要转移到的账户。  | 
| 物联网：CancelJob | CancelJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：CancelJobExecution | CancelJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ClearDefaultAuthorizer | ClearDefaultAuthorizer | 无 | 
| 物联网：CreateAuthorizer | CreateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| 物联网：CreateCertificateFromCsr | CreateCertificateFromCsr | \* | 
| 物联网：CreateDimension | CreateDimension | `arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：CreateJob | CreateJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| 物联网：CreateJobTemplate | CreateJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| 物联网：CreateKeysAndCertificate | CreateKeysAndCertificate | \* | 
| 物联网：CreatePolicy | CreatePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：CreatePolicyVersion | CreatePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` 这必须是 AWS IoT 策略，而不是 IAM 策略。  | 
| 物联网：CreateRoleAlias | CreateRoleAlias | (参数：roleAlias)<br />`arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：CreateSecurityProfile | CreateSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：CreateThing | CreateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：CreateThingGroup | CreateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />针对要创建的组和父组 (如果使用) | 
| 物联网：CreateThingType | CreateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：CreateTopicRule | CreateTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：DeleteAuthorizer | DeleteAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-name}}` | 
| 物联网:删除 CACertificate | 删除 CACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| 物联网：DeleteCertificate | DeleteCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DeleteDimension | DeleteDimension | `arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：DeleteJob | DeleteJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：DeleteJobTemplate | DeleteJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-template-id}}` | 
| 物联网：DeleteJobExecution | DeleteJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：DeletePolicy | DeletePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：DeletePolicyVersion | DeletePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：DeleteRegistrationCode | DeleteRegistrationCode | \* | 
| 物联网：DeleteRoleAlias | DeleteRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：DeleteSecurityProfile | DeleteSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：DeleteThing | DeleteThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：DeleteThingGroup | DeleteThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DeleteThingType | DeleteThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：DeleteTopicRule | DeleteTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网:deletev2 LoggingLevel | deleteV2 LoggingLevel | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DeprecateThingType | DeprecateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：DescribeAuthorizer | DescribeAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}`<br />(参数：authorizerName) none  | 
| 物联网:描述 CACertificate | 描述 CACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| 物联网：DescribeCertificate | DescribeCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DescribeDefaultAuthorizer | DescribeDefaultAuthorizer | 无  | 
| 物联网：DescribeEndpoint | DescribeEndpoint | \* | 
| 物联网：DescribeEventConfigurations | DescribeEventConfigurations | none  | 
| 物联网：DescribeIndex | DescribeIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-name}}` | 
| 物联网：DescribeJob | DescribeJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：DescribeJobExecution | DescribeJobExecution | 无 | 
| 物联网：DescribeJobTemplate | DescribeJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-template-id}}` | 
| 物联网：DescribeRoleAlias | DescribeRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：DescribeThing | DescribeThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：DescribeThingGroup | DescribeThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DescribeThingRegistrationTask | DescribeThingRegistrationTask | 无 | 
| 物联网：DescribeThingType | DescribeThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：DetachPolicy | DetachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}`<br />或者<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DetachPrincipalPolicy | DetachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DetachSecurityProfile | DetachSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：DetachThingPrincipal | DetachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DisableTopicRule | DisableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：EnableTopicRule | EnableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：GetEffectivePolicies | GetEffectivePolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：GetIndexingConfiguration | GetIndexingConfiguration | 无 | 
| 物联网：GetJobDocument | GetJobDocument | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：GetLoggingOptions | GetLoggingOptions | \* | 
| 物联网：GetPolicy | GetPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：GetPolicyVersion | GetPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：GetRegistrationCode | GetRegistrationCode | \* | 
| 物联网：GetTopicRule | GetTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：ListAttachedPolicies | ListAttachedPolicies | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或者<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：ListAuthorizers | ListAuthorizers | 无 | 
| 物联网:列表 CACertificates | 名单 CACertificates | \* | 
| 物联网：ListCertificates | ListCertificates | \* | 
| 物联网：ListCertificatesByCA | ListCertificatesByCA | \* | 
| 物联网：ListIndices | ListIndices | 无 | 
| 物联网：ListJobExecutionsForJob | ListJobExecutionsForJob | 无 | 
| 物联网：ListJobExecutionsForThing | ListJobExecutionsForThing | 无 | 
| 物联网：ListJobs | ListJobs | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />如果使用 thingGroupName 参数 | 
| 物联网：ListJobTemplates | ListJobs | 无 | 
| 物联网：ListOutgoingCertificates | ListOutgoingCertificates | \* | 
| 物联网：ListPolicies | ListPolicies | \* | 
| 物联网：ListPolicyPrincipals | ListPolicyPrincipals | \* | 
| 物联网：ListPolicyVersions | ListPolicyVersions | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：ListPrincipalPolicies | ListPrincipalPolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：ListPrincipalThings | ListPrincipalThings | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：ListRoleAliases | ListRoleAliases | 无 | 
| 物联网：ListTargetsForPolicy | ListTargetsForPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：ListThingGroups | ListThingGroups | 无 | 
| 物联网：ListThingGroupsForThing | ListThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ListThingPrincipals | ListThingPrincipals | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ListThingRegistrationTaskReports | ListThingRegistrationTaskReports | 无 | 
| 物联网：ListThingRegistrationTasks | ListThingRegistrationTasks | 无 | 
| 物联网：ListThingTypes | ListThingTypes | \* | 
| 物联网：ListThings | ListThings | \* | 
| 物联网：ListThingsInThingGroup | ListThingsInThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：ListTopicRules | ListTopicRules | \* | 
| IoT: listv2 LoggingLevels | Listv2 LoggingLevels | 无 | 
| 物联网:注册 CACertificate | 注册 CACertificate | \* | 
| 物联网：RegisterCertificate | RegisterCertificate | \* | 
| 物联网：RegisterThing | RegisterThing | 无 | 
| 物联网：RejectCertificateTransfer | RejectCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：RemoveThingFromThingGroup | RemoveThingFromThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ReplaceTopicRule | ReplaceTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：SearchIndex | SearchIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-id}}` | 
| 物联网：SetDefaultAuthorizer | SetDefaultAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| 物联网：SetDefaultPolicyVersion | SetDefaultPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：SetLoggingOptions | SetLoggingOptions | `arn:aws:iot:{{region}}:{{account-id}}:role/{{role-name}}` | 
| IoT: setv2 LoggingLevel | setv2 LoggingLevel | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| IoT: setv2 LoggingOptions | setv2 LoggingOptions | `arn:aws:iot:{{region}}:{{account-id}}:role/{{role-name}}` | 
| 物联网：StartThingRegistrationTask | StartThingRegistrationTask | 无 | 
| 物联网：StopThingRegistrationTask | StopThingRegistrationTask | 无 | 
| 物联网：TestAuthorization | TestAuthorization | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：TestInvokeAuthorizer | TestInvokeAuthorizer | 无 | 
| 物联网：TransferCertificate | TransferCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：UpdateAuthorizer | UpdateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizerfunction/{{authorizer-function-name}}` | 
| 物联网:更新 CACertificate | 更新 CACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| 物联网：UpdateCertificate | UpdateCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：UpdateDimension | UpdateDimension | `arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：UpdateEventConfigurations | UpdateEventConfigurations | 无 | 
| 物联网：UpdateIndexingConfiguration | UpdateIndexingConfiguration | 无 | 
| 物联网：UpdateRoleAlias | UpdateRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：UpdateSecurityProfile | UpdateSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| 物联网：UpdateThing | UpdateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：UpdateThingGroup | UpdateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：UpdateThingGroupsForThing | UpdateThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 

正在执行的策略操作在操作前 AWS IoT 使用以下前缀:`iot:`. 例如，要授予某人列出他们 AWS 账户 在 `ListThings` API 中注册的所有物联网事物的权限，您需要将该`iot:ListThings`操作包含在他们的策略中。策略声明必须包含`Action`或`NotAction`元素。 AWS IoT 定义了它自己的一组操作，这些操作描述了您可以使用此服务执行的任务。

要在单个语句中指定多项操作，请使用逗号将它们隔开，如下所示：

```
"Action": [
      "ec2:action1",
      "ec2:action2"
```

您也可以使用通配符 （\*) 指定多个操作。例如，要指定以单词 `Describe` 开头的所有操作，包括以下操作：

```
"Action": "iot:Describe*"
```

要查看 AWS IoT 操作列表，请参阅 *IAM 用户指南 AWS IoT*中的[定义操作](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。

#### Device Advisor 操作
<a name="security_iam_service-actions-device-advisor"></a>

下表列出了 IAM物联网Device Advisor 操作、关联的 AWS IoT Device Advisor API 以及操作处理的资源。


****  

| 策略操作 | AWS IoT API | 资源 | 
| --- | --- | --- | 
| iotdeviceAdvisor：CreateSuiteDefinition | CreateSuiteDefinition | 无 | 
| iotdeviceAdvisor：DeleteSuiteDefinition | DeleteSuiteDefinition | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceAdvisor：GetSuiteDefinition | GetSuiteDefinition | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceAdvisor：GetSuiteRun | GetSuiteRun | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-run-id}}` | 
| iotdeviceAdvisor：GetSuiteRunReport | GetSuiteRunReport | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/{{suite-definition-id}}/{{suite-run-id}}` | 
| iotdeviceAdvisor：ListSuiteDefinitions | ListSuiteDefinitions | 无 | 
| iotdeviceAdvisor：ListSuiteRuns | ListSuiteRuns | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceAdvisor：ListTagsForResource | ListTagsForResource | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`<br />`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 
| iotdeviceAdvisor：StartSuiteRun | StartSuiteRun | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceAdvisor：TagResource | TagResource | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`<br />`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 
| iotdeviceAdvisor：UntagResource | UntagResource | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`<br />`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 
| iotdeviceAdvisor：UpdateSuiteDefinition | UpdateSuiteDefinition | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceAdvisor：StopSuiteRun | StopSuiteRun | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 

 AWS IoT 设备顾问中的策略操作在操作前使用以下前缀:`iotdeviceadvisor:`. 例如，要授予某人列出他们在 ListSuiteDefinitions API 中注册的所有套件定义 AWS 账户 的权限，您需要将该`iotdeviceadvisor:ListSuiteDefinitions`操作包含在他们的策略中。

### 资源
<a name="security_iam_service-with-iam-id-based-policies-resources"></a>

管理员可以使用 AWS JSON 策略来指定谁有权访问什么。也就是说，哪个**主体**可以对什么**资源**执行**操作**，以及在什么**条件**下执行。

`Resource` JSON 策略元素指定要向其应用操作的一个或多个对象。作为最佳实践，请使用其 [Amazon 资源名称（ARN）](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)指定资源。对于不支持资源级权限的操作，请使用通配符 (\*) 指示语句应用于所有资源。

```
"Resource": "*"
```


**AWS IoT 资源**  

| 策略操作 | AWS IoT API | 资源 | 
| --- | --- | --- | 
| 物联网：AcceptCertificateTransfer | AcceptCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 账户 指定的必须是证书要转移到的账户。  | 
| 物联网：AddThingToThingGroup | AddThingToThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：AssociateTargetsWithJob | AssociateTargetsWithJob | 无  | 
| 物联网：AttachPolicy | AttachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或者<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：AttachPrincipalPolicy | AttachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：AttachThingPrincipal | AttachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：CancelCertificateTransfer | CancelCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 账户 指定的必须是证书要转移到的账户。  | 
| 物联网：CancelJob | CancelJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：CancelJobExecution | CancelJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ClearDefaultAuthorizer | ClearDefaultAuthorizer | 无 | 
| 物联网：CreateAuthorizer | CreateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| 物联网：CreateCertificateFromCsr | CreateCertificateFromCsr | \* | 
| 物联网：CreateJob | CreateJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| 物联网：CreateJobTemplate | CreateJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| 物联网：CreateKeysAndCertificate | CreateKeysAndCertificate | \* | 
| 物联网：CreatePolicy | CreatePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| CreatePolicyVersion | 物联网：CreatePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` 这必须是 AWS IoT 策略，而不是 IAM 策略。  | 
| 物联网：CreateRoleAlias | CreateRoleAlias | (参数：roleAlias)<br />`arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：CreateThing | CreateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：CreateThingGroup | CreateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />针对要创建的组和父组 (如果使用) | 
| 物联网：CreateThingType | CreateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：CreateTopicRule | CreateTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：DeleteAuthorizer | DeleteAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-name}}` | 
| 物联网:删除 CACertificate | 删除 CACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| 物联网：DeleteCertificate | DeleteCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DeleteJob | DeleteJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：DeleteJobExecution | DeleteJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：DeleteJobTemplate | DeleteJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| 物联网：DeletePolicy | DeletePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：DeletePolicyVersion | DeletePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：DeleteRegistrationCode | DeleteRegistrationCode | \* | 
| 物联网：DeleteRoleAlias | DeleteRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：DeleteThing | DeleteThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：DeleteThingGroup | DeleteThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DeleteThingType | DeleteThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：DeleteTopicRule | DeleteTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网:deletev2 LoggingLevel | deleteV2 LoggingLevel | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DeprecateThingType | DeprecateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：DescribeAuthorizer | DescribeAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}`<br />(参数：authorizerName) none  | 
| 物联网:描述 CACertificate | 描述 CACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| 物联网：DescribeCertificate | DescribeCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DescribeDefaultAuthorizer | DescribeDefaultAuthorizer | 无  | 
| 物联网：DescribeEndpoint | DescribeEndpoint | \* | 
| 物联网：DescribeEventConfigurations | DescribeEventConfigurations | none  | 
| 物联网：DescribeIndex | DescribeIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-name}}` | 
| 物联网：DescribeJob | DescribeJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：DescribeJobExecution | DescribeJobExecution | 无 | 
| 物联网：DescribeJobTemplate | DescribeJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| 物联网：DescribeRoleAlias | DescribeRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：DescribeThing | DescribeThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：DescribeThingGroup | DescribeThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DescribeThingRegistrationTask | DescribeThingRegistrationTask | 无 | 
| 物联网：DescribeThingType | DescribeThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| 物联网：DetachPolicy | DetachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}`<br />或者<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：DetachPrincipalPolicy | DetachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DetachThingPrincipal | DetachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：DisableTopicRule | DisableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：EnableTopicRule | EnableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：GetEffectivePolicies | GetEffectivePolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：GetIndexingConfiguration | GetIndexingConfiguration | 无 | 
| 物联网：GetJobDocument | GetJobDocument | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| 物联网：GetLoggingOptions | GetLoggingOptions | \* | 
| 物联网：GetPolicy | GetPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：GetPolicyVersion | GetPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：GetRegistrationCode | GetRegistrationCode | \* | 
| 物联网：GetTopicRule | GetTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：ListAttachedPolicies | ListAttachedPolicies | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或者<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：ListAuthorizers | ListAuthorizers | 无 | 
| 物联网:列表 CACertificates | 名单 CACertificates | \* | 
| 物联网：ListCertificates | ListCertificates | \* | 
| 物联网：ListCertificatesByCA | ListCertificatesByCA | \* | 
| 物联网：ListIndices | ListIndices | 无 | 
| 物联网：ListJobExecutionsForJob | ListJobExecutionsForJob | 无 | 
| 物联网：ListJobExecutionsForThing | ListJobExecutionsForThing | 无 | 
| 物联网：ListJobs | ListJobs | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />如果使用 thingGroupName 参数 | 
| 物联网：ListJobTemplates | ListJobTemplates | 无 | 
| 物联网：ListOutgoingCertificates | ListOutgoingCertificates | \* | 
| 物联网：ListPolicies | ListPolicies | \* | 
| 物联网：ListPolicyPrincipals | ListPolicyPrincipals | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：ListPolicyVersions | ListPolicyVersions | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：ListPrincipalPolicies | ListPrincipalPolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：ListPrincipalThings | ListPrincipalThings | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：ListRoleAliases | ListRoleAliases | 无 | 
| 物联网：ListTargetsForPolicy | ListTargetsForPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：ListThingGroups | ListThingGroups | 无 | 
| 物联网：ListThingGroupsForThing | ListThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ListThingPrincipals | ListThingPrincipals | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ListThingRegistrationTaskReports | ListThingRegistrationTaskReports | 无 | 
| 物联网：ListThingRegistrationTasks | ListThingRegistrationTasks | 无 | 
| 物联网：ListThingTypes | ListThingTypes | \* | 
| 物联网：ListThings | ListThings | \* | 
| 物联网：ListThingsInThingGroup | ListThingsInThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：ListTopicRules | ListTopicRules | \* | 
| IoT: listv2 LoggingLevels | Listv2 LoggingLevels | 无 | 
| 物联网:注册 CACertificate | 注册 CACertificate | \* | 
| 物联网：RegisterCertificate | RegisterCertificate | \* | 
| 物联网：RegisterThing | RegisterThing | 无 | 
| 物联网：RejectCertificateTransfer | RejectCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：RemoveThingFromThingGroup | RemoveThingFromThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：ReplaceTopicRule | ReplaceTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| 物联网：SearchIndex | SearchIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-id}}` | 
| 物联网：SetDefaultAuthorizer | SetDefaultAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| 物联网：SetDefaultPolicyVersion | SetDefaultPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| 物联网：SetLoggingOptions | SetLoggingOptions | \* | 
| IoT: setv2 LoggingLevel | setv2 LoggingLevel | \* | 
| IoT: setv2 LoggingOptions | setv2 LoggingOptions | \* | 
| 物联网：StartThingRegistrationTask | StartThingRegistrationTask | 无 | 
| 物联网：StopThingRegistrationTask | StopThingRegistrationTask | 无 | 
| 物联网：TestAuthorization | TestAuthorization | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：TestInvokeAuthorizer | TestInvokeAuthorizer | 无 | 
| 物联网：TransferCertificate | TransferCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：UpdateAuthorizer | UpdateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizerfunction/{{authorizer-function-name}}` | 
| 物联网:更新 CACertificate | 更新 CACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| 物联网：UpdateCertificate | UpdateCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| 物联网：UpdateEventConfigurations | UpdateEventConfigurations | 无 | 
| 物联网：UpdateIndexingConfiguration | UpdateIndexingConfiguration | 无 | 
| 物联网：UpdateRoleAlias | UpdateRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| 物联网：UpdateThing | UpdateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| 物联网：UpdateThingGroup | UpdateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| 物联网：UpdateThingGroupsForThing | UpdateThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 

有关格式的更多信息 ARNs，请参阅 [Amazon 资源名称 (ARNs) 和 AWS 服务命名空间](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)。

某些 AWS IoT 操作（例如创建资源的操作）无法对特定资源执行。在这些情况下，您必须使用通配符（\*)。

```
"Resource": "*"
```

要查看 AWS IoT 资源类型及其列表 ARNs，请参阅 *IAM 用户指南 AWS IoT*中的[由定义的资源](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-resources-for-iam-policies)。要了解您可以在哪些操作中指定每个资源的 ARN，请参阅 [AWS IoT定义的操作](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。

#### Device Advisor 资源
<a name="security_iam_service-device-advisor-resources"></a>

要为 Device Advisor IAM 策略定义资源级限制，请使用以下资源 ARN 格式来定义套件和套件运行。 AWS IoT 

套件定义资源 ARN 格式  
`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`

套件运行资源 ARN 格式  
`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/{{suite-definition-id}}/{{suite-run-id}}`

### 条件键
<a name="security_iam_service-with-iam-id-based-policies-conditionkeys"></a>

管理员可以使用 AWS JSON 策略来指定谁有权访问什么。也就是说，哪个**主体**可以对什么**资源**执行**操作**，以及在什么**条件**下执行。

`Condition` 元素根据定义的条件指定语句何时执行。您可以创建使用[条件运算符](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)（例如，等于或小于）的条件表达式，以使策略中的条件与请求中的值相匹配。要查看所有 AWS 全局条件键，请参阅 *IAM 用户指南*中的[AWS 全局条件上下文密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。

AWS IoT 定义自己的条件键集，还支持使用一些全局条件键。要查看所有 AWS 全局条件键，请参阅 *IAM 用户指南*中的[AWS 全局条件上下文密钥](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_condition-keys.html)。


**AWS IoT 条件键**  

| AWS IoT 条件键 | 描述 | Type | 
| --- | --- | --- | 
| aws:RequestTag/${{{tag-key}}} | 用户向 AWS IoT发出的请求中包含的标签键。 | 字符串 | 
| aws:ResourceTag/${{{tag-key}}} | 附加到 AWS IoT 资源的标签的标签密钥组件。 | 字符串 | 
| aws:TagKeys | 与请求中的资源关联的所有标签键名称的列表。 | 字符串 | 

要查看 AWS IoT 条件键列表，请参阅 *IAM 用户指南 AWS IoT*中的[条件密钥](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-policy-keys)。要了解可以使用条件键的操作和资源，请参阅[操作定义者 AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。

### 示例
<a name="security_iam_service-with-iam-id-based-policies-examples"></a>



要查看 AWS IoT 基于身份的策略的示例，请参阅。[AWS IoT 基于身份的策略示例](security_iam_id-based-policy-examples.md)

## AWS IoT 基于资源的政策
<a name="security_iam_service-with-iam-resource-based-policies"></a>

基于资源的策略是 JSON 策略文档，用于指定委托人可以在哪些条件下对 AWS IoT 资源执行哪些操作。

AWS IoT 不支持基于 IAM 资源的策略。但是，它确实支持 AWS IoT 基于资源的政策。有关更多信息，请参阅 [AWS IoT Core 政策](iot-policies.md)。

## 基于 AWS IoT 标签的授权
<a name="security_iam_service-with-iam-tags"></a>

您可以为 AWS IoT 资源附加标签或在请求中传递标签 AWS IoT。要基于标签控制访问，您需要使用 `iot:ResourceTag/{{key-name}}``aws:RequestTag/{{key-name}}` 或 `aws:TagKeys` 条件键在策略的[条件元素](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_elements_condition.html)中提供标签信息。有关更多信息，请参阅 [在 IAM 策略中使用标签](tagging-iot-iam.md)。有关为 AWS IoT 资源添加标签的更多信息，请参阅[为资源添加 AWS IoT 标签](tagging-iot.md)。

要查看基于身份的策略（用于根据资源上的标签来限制对该资源的访问）的示例，请参阅[根据标签查看 AWS IoT 资源](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-thing-tags)。

## AWS IoT IAM 角色
<a name="security_iam_service-with-iam-roles"></a>

I [AM 角色](https://docs.aws.amazon.com/service-authorization/latest/reference/id_roles.html)是您内部具有特定权限 AWS 账户 的实体。

### 将临时凭证与 AWS IoT
<a name="security_iam_service-with-iam-roles-tempcreds"></a>

可以使用临时凭证进行联合身份验证登录，分派 IAM 角色或分派跨账户角色。您可以通过调用[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)或之类的 AWS STS API 操作来获取临时安全证书[GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)。

AWS IoT 支持使用临时证书。

### 服务关联角色
<a name="security_iam_service-with-iam-roles-service-linked"></a>

[服务相关角色](https://docs.aws.amazon.com/service-authorization/latest/reference/id_roles_terms-and-concepts.html#iam-term-service-linked-role)允许 AWS 服务访问其他服务中的资源以代表您完成操作。服务关联角色显示在 IAM 账户中，并归该服务所有。IAM 管理员可以查看但不能编辑服务关联角色的权限。

AWS IoT 不支持服务相关角色。

### 服务角色
<a name="security_iam_service-with-iam-roles-service"></a>

此功能允许服务代表您担任[服务角色](https://docs.aws.amazon.com/service-authorization/latest/reference/id_roles_terms-and-concepts.html#iam-term-service-role)。此角色允许服务访问其他服务中的资源以代表您完成操作。服务角色显示在 IAM 账户中，并归该账户所有。这意味着，IAM 管理员可以更改该角色的权限。但是，这样做可能会中断服务的功能。