如何使用AWS IoT策略的通配符与iot的作业资源:发布

Question

我如何允许所有的作业，而不是特定的作业名称，“物联网:发布”从我的设备？

我不知道允许通配符+或*的作业更新主题为“物联网:发布”。

但是我可以用它写“物联网:订阅”和“物联网:接收”。

AWS IoT策略：

“物联网:出版”

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/start-next",
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/ota-20190401/update"  <- (A)allow publishing
        "arn:aws:iot:xxx:xxx:topic/$aws/things/${iot:ClientId}/jobs/+/update"  <- (B)not allow publishing
      ]
    }
  ]
}

“物联网:订阅”

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/notify-next",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/accepted",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/start-next/rejected",
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/accepted",  <- allow subscribing
        "arn:aws:iot:xxx:xxx:topicfilter/$aws/things/${iot:ClientId}/jobs/+/update/rejected"  <- allow subscribing
      ]
    }
  ]
}

我在我的设备上安装了AWSIoTPythonSDK.exception.AWSIoTExceptions.publishTimeoutException以防(B)策略的影响。

Answer 1

根据https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html的说法，'+‘或'#’被视为一个字面字符。您可以使用“*”作为通配符，但请注意，“*”将匹配主题中的任何字符(字母、数字、斜杠等)。