[英]AWS IoT Core connection refused with authenticated Cognito user w/ attached policy [MQTT over WSS]
之前也有類似的問題,我也搜索了很多,雖然我找到的答案並沒有幫助我解決問題。
我正在嘗試為我的 IoT 設備連接到 AWS 的 MQTT 代理,我正在通過 AWS Amplify 的 PubSub 庫通過 Web 套接字使用 MQTT。 身份驗證也通過 Amplify 處理(是的,用戶已成功通過身份驗證)。 當我嘗試連接時,它立即關閉並顯示錯誤消息:
錯誤代碼:8,錯誤消息:AMQJS0008I 套接字已關閉。
我為身份池設置了 IAM 角色,並將 IoT 策略附加到經過身份驗證的用戶(使用從 Amplify 檢索的身份 ID)。
用於附加策略的命令:
aws iot attach-principal-policy --policy-name "Air-RME-Users" --principal "ap-northeast-1:4f76a019-9f84-44f0-a23d-48357210016c"
任何幫助表示贊賞,謝謝!
IoT 的CloudWatch日志:
{
"timestamp": "2018-07-05 04:00:42.998",
"logLevel": "ERROR",
"traceId": "<removed>",
"accountId": "<removed>",
"status": "Failure",
"eventType": "Connect",
"protocol": "MQTT",
"clientId": "4e900ea4-8f05-4022-98a8-c1b26280b2a2",
"principalId": "<removed>:CognitoIdentityCredentials",
"sourceIp": "<removed>",
"sourcePort": 54641,
"reason": "AUTHORIZATION_FAILURE"
}
Cognito 身份池策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect",
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:DeleteThingShadow"
],
"Resource": [
"*"
]
}
]
}
物聯網政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:ap-northeast-1:<removed>:topic/*"
}
]
}
測試代碼:
import Amplify from 'aws-amplify';
import {AWSIoTProvider} from 'aws-amplify/lib/PubSub/Providers';
require('babel-polyfill');
global.app = function () {
let user = null;
const onBtn = document.getElementById("on");
const offBtn = document.getElementById("off");
Amplify.configure({
Auth: {
// REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
identityPoolId: 'ap-northeast-1:<removed>',
// REQUIRED - Amazon Cognito Region
region: 'ap-northeast-1',
// OPTIONAL - Amazon Cognito User Pool ID
userPoolId: 'ap-northeast-1_<removed>',
// OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
userPoolWebClientId: '<removed>',
// OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
mandatorySignIn: true,
}
});
Amplify.addPluggable(new AWSIoTProvider({
aws_pubsub_region: 'ap-northeast-1',
aws_pubsub_endpoint: 'wss://<removed>.iot.ap-northeast-1.amazonaws.com/mqtt',
}));
process();
async function process() {
await Amplify.Auth.signIn("test@test.com", "Test1234567")
.then(user => {
console.log("ログインできました。")
onBtn.style.visibility = "visible";
offBtn.style.visibility = "visible";
console.log(user);
if (user.challengeName === "NEW_PASSWORD_REQUIRED") {
const currentPassword = "Test123456";
const newPassword = "Test1234567"
user.completeNewPasswordChallenge(newPassword)
.then(() => {
// winning
}).catch(error => {
console.log(error);
});
}
})
.catch(err => {
alert("ログインできませんでした。");
console.log(err);
});
Amplify.Auth.currentCredentials().then((info) => {
const cognitoIdentityId = info._identityId;
console.log(cognitoIdentityId);
});
Amplify.PubSub.subscribe('$aws/things/Air-RME-test/shadow/get/accepted').subscribe({
next: data => console.log('Message received', data),
error: error => console.error(error),
close: () => console.log('Done'),
});
Amplify.PubSub.publish('$aws/things/Air-RME-test/shadow/get', '');
}
};
編輯:
在附加策略之前,將以下策略添加到經過身份驗證的認知身份角色解決了我的問題。 我使用的 arn 也有問題,所以我將同時使用 * 通配符。 一旦我開始工作,將再次更新。
政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy"
],
"Resource": [
"*"
]
}
]
}
所以缺少一項政策。 該策略必須附加到iot:AttachPrincipalPolicy每個用戶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy"
],
"Resource": [
"*"
]
}
] }
目前,有兩種方式,一種是通過 CLI,另一種方式是通過 AWS Lambda 函數:
'use strict';
console.log('Loading function');
var AWS = require('aws-sdk');
exports.handler = (event, context, callback) => {
console.log('Received event:', JSON.stringify(event, null, 2))
event.Records.forEach((record) => {
console.log(record.eventName);
if (record.eventName == "INSERT") {
console.log('DynamoDB Record:', JSON.stringify(record));
console.log('DynamoDB Record:', record.dynamodb['Keys']['UserId']['S']);
var user = record.dynamodb['Keys']['UserId']['S'];
const iotMgmt = new AWS.Iot();
return new Promise(function(resolve, reject) {
let params = {
policyName: "basic",
principal: user
};
iotMgmt.attachPrincipalPolicy(params, (err, res) => {
console.log("Attaching IoT policy to " + user);
if (err) {
console.error(err);
reject(err);
}
else {
resolve();
}
});
});
}
});
};
通過 Cognito 身份池進行身份驗證的用戶的 MQTT 連接
[英]MQTT connection for users authenticated via Cognito Identity Pool
使用Cognito並為AWS IOT創建策略時,iot:ClientId策略變量的值是什么?
[英]When using Cognito, and creating a policy for AWS IOT, What is the value of the iot:ClientId policy variable?
通過后端通過Websocket使用MQTT連接到AWS IoT
[英]Connecting to AWS IoT using MQTT over Websockets from the backend
AWS - JavaScript - 使用經過身份驗證的 Cognito 用戶對 DynamoDB 進行 CRUD 操作
[英]AWS - JavaScript - CRUD operations on DynamoDB with authenticated Cognito user
AWS cognito userpools JavaScript SDK獲取用戶的策略文檔
[英]AWS cognito userpools JavaScript SDK get user's policy documents
AWS Cognito - JavaScript中的開發人員身份驗證身份(瀏覽器)
[英]AWS Cognito - Developer Authenticated Identities in JavaScript(Browser)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.