Menu
AWS IoT
Developer Guide

Thing Policy Variables

Thing policy variables allow you to write AWS IoT policies that grant or deny permissions based on thing properties like thing names, thing types, and thing attribute values. The thing name is obtained from the client ID in the MQTT Connect message sent when a thing connects to AWS IoT. The thing policy variables are replaced when a thing connects to AWS IoT over MQTT using TLS mutual authentication or MQTT over the WebSocket protocol using authenticated Amazon Cognito identities. Thing policy variables are also replaced when a certificate or authenticated Amazon Cognito identity is attached to a thing. You can use the AttachThingPrincipal API to attach certificates and authenticated Amazon Cognito identities to a thing.

The following thing policy variables are available:

  • iot:Connection.Thing.ThingName

  • iot:Connection.Thing.ThingTypeName

  • iot:Connection.Thing.Attributes[attributeName]

  • iot:Connection.Thing.IsAttached

iot:Connection.Thing.ThingName

This resolves to the name of the thing for which the policy is being evaluated. The thing name is set to the client ID of the MQTT/WebSocket connection. This policy variable is available only when connecting over MQTT or MQTT over the WebSocket protocol.

iot:Connection.Thing.ThingTypeName

This resolves to the thing type associated with the thing for which the policy is being evaluated. The thing name is set to the client ID of the MQTT/WebSocket connection. The thing type name is obtained by a call to the DescribeThing API. This policy variable is available only when connecting over MQTT or MQTT over the WebSocket protocol.

iot:Connection.Thing.Attributes[attributeName]

This resolves to the value of the specified attribute associated with the thing for which the policy is being evaluated. A thing can have up to 50 attributes. Each attribute is available as a policy variable: iot:Connection.Thing.Attributes[attributeName] where attributeName is the name of the attribute. The thing name is set to the client ID of the MQTT/WebSocket connection. This policy variable is only available when connecting over MQTT or MQTT over the WebSocket protocol.

iot:Connection.Thing.IsAttached

This resolves to true if the thing for which the policy is being evaluated has a certificate or Amazon Cognito identity attached.