I want my backend to be able to directly send messages to authenticated users. Which means I need to limit the users to only subscribe on topics under their own identifiers. Ideally, to my currently limited understanding, I would have a policy that has the user sub as a variable:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect",
"iot:Publish",
"iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:DeleteThingShadow"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": "arn:aws:iot:us-east-1:949960872797:topicfilter/user/${cognitoUserSub}/someTopic"
}
]
}
If ultimately the cognito identifier is not an option for this policy, please advise me of what other identifier i would provide. Whichever it is, i need to be able to somehow obtain it based on the user's cognito identifier (the sub).
Note that my knowledge in this regard is very limited, so I understand that I might be off by quite a bit.
