Policy to connect and publish retained messages Policy to connect and publish retained Will messages Policy to list and get retained messages

Retained message policy examples

Using retained messages requires specific policies. Retained messages are MQTT messages published with the RETAIN flag set and stored by AWS IoT Core. This section presents examples of policies that allow common uses of retained messages.

In this section:

Policy to connect and publish retained messages
Policy to connect and publish retained Will messages
Policy to list and get retained messages

Policy to connect and publish retained messages

For a device to publish retained messages, the device must be able to connect, publish (any MQTT message), and publish MQTT retained messages. The following policy grants these permissions for the topic: device/sample/configuration to client device1. For another example that grants permission to connect, see Connect and publish policy examples.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/device1"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:Publish",
				"iot:RetainPublish"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:topic/device/sample/configuration"
			]
		}
	]
}

Policy to connect and publish retained Will messages

Clients can configure a message that AWS IoT Core will publish when the client disconnects unexpectedly. MQTT calls such a message a Will message. A client must have an additional condition added to its connect permission to include them.

The following policy document grants all clients permission to connect and publish a Will message, identified by its topic, will, that AWS IoT Core will also retain.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/device1"
			],
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": [
						"LastWill"
					]
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:Publish",
				"iot:RetainPublish"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:topic/will"
			]
		}
	]
}

Policy to list and get retained messages

Services and applications can access retained messages without the need to support an MQTT client by calling ListRetainedMessages and GetRetainedMessage. The services and applications that call these actions must be authorized by using a policy such as the following example.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:ListRetainedMessages"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/device1"
			],
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:GetRetainedMessage"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:topic/foo"
			]
		}
	]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Connect and publish policy examples

Certificate policy examples