I am having difficulty using ${iot:Certificate.Subject.SerialNumber} in a policy to restrict shadow access to the device using the specified certificate.
I have a certificate that has been issued by aws-iot with serialnumber in hex : 00 FC 63 F4 3D D8 8D 92 B1 19 5E 3C 6B D4 1B 99 1E 60 7C 86 34
If I convert this to decimal string I get : 1440894724465102159684825527826579699971598878260
I have attatched this certificate to a Thing with name : Scoot-1440894724465102159684825527826579699971598878260
My policy is :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-central-1:XXXXXXXXXX:client/*"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:eu-central-1:XXXXXXXXXX:topic/$aws/things/Scoot-${iot:Certificate.Subject.SerialNumber}/*",
"arn:aws:iot:eu-central-1:XXXXXXXXXX:topicfilter/$aws/things/Scoot-${iot:Certificate.Subject.SerialNumber}/*"
]
}
]
}
The device cannot publish messages to the shadow topics.
What am i doing wrong?
I figured this out. The certificates issued by AWS have no SerialNumber attribute in the subject.
They are an attribute on their own.
I should use ${iot:Certificate.SerialNumber}
instead of ${iot:Certificate.Subject.SerialNumber}
It works now and my devices cannot access each others shadows anymore.