6

This is my policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-2:000000000000:client/sub",
        "arn:aws:iot:us-east-2:000000000000:client/pub"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-2:000000000000:topicfilter/org/cid/+/data"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-2:000000000000:topic/org/cid/sample/data"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-2:000000000000:topic/org/cid/sample/data"
    }
  ]
}

This is my publishing client:

mosquitto_pub -h endpoint-ats.iot.us-east-2.amazonaws.com -p 8883 -i pub --cafile aws-iot-root-ca-1.pem --cert pub-certificate.pem.crt --key pub-private.pem.key -t /org/cid/sample/data -m 'Hello'

And, this is my subscribing client:

mosquitto_sub -h endpoint-ats.iot.us-east-2.amazonaws.com -p 8883 -i sub --cafile aws-iot-root-ca-1.pem --cert sub-certificate.pem.crt --key sub-private.pem.key -t /org/cid/+/data  -d

The subscription never goes through; it keeps reconnecting.

Client sub sending CONNECT
Client sub received CONNACK
Client sub sending SUBSCRIBE (Mid: 1, Topic: /org/cid/+/data, QoS: 0)
Client sub sending CONNECT

The certificate is attached to the policy correctly.

Is there an option to define publish/subscribe settings per client identifier? What am I missing?

cogitoergosum
  • 1,091
  • 7
  • 18

1 Answers1

3

Two things:

  1. The + as a wild card for subscription is NOT honored. From the documentation:

The MQTT wildcard character '+' is not treated as a wildcard within a policy. Attempts to subscribe to topic filters that match the pattern foo/+/bar like foo/baz/bar or foo/goo/bar fails and causes the client to disconnect.

  1. The topic string shouldn't have the leading the leading slash.

Therefore, I changed the policy to have the exact topic string and in my pub and sub clients removed the leading slash. It works now.

:roll-eyes:

cogitoergosum
  • 1,091
  • 7
  • 18