我可以使用Websockets上的MQTT成功连接到AWS IoT.但是,在发布或订阅时,连接会终止.我认为这一定是AWS的基于策略/权限的问题,但我相信自己拥有正确的权限. 这是我的设置:
I can successfully connect to AWS IoT using MQTT over Websockets. But when publishing or subscribing, the connection is terminated. I figure it must be a policy/permissions-based issue with AWS, but I am confident that I have the correct permissions. Here is my setup:
我有一个lambda函数,可以使用STS假定角色创建一个签名的url(策略权限会更严格,但是我允许访问所有资源上的所有IoT函数以进行测试):
I have a lambda function which creates a signed url using STS assumeRole (permissions in policy will be tighter but I have allowed access to all iot functions on all resources for testing):
const config = require('./config'); const crypto = require('crypto'); const v4 = require('aws-signature-v4'); const async = require('async'); const util = require('util'); const AWS = require('aws-sdk'); exports.handler = function (event, context) { var fail = function (err) { console.error(err); context.fail('Oops, something went wrong with your request'); }; const iot = new AWS.Iot(); const sts = new AWS.STS({region: 'eu-west-1'}); var params = { DurationSeconds: 3600, ExternalId: Date.now().toString(), Policy: JSON.stringify( { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*", ], "Resource": [ "*" ] } ] } ), RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role", RoleSessionName: 'expo-' + Date.now() }; sts.assumeRole(params, function(err, stsData) { if (err) { fail(err); return; } console.log(stsData); const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws'; var url = v4.createPresignedURL( 'GET', AWS_IOT_ENDPOINT_HOST, '/mqtt', 'iotdata', crypto.createHash('sha256').update('', 'utf8').digest('hex'), { key: stsData.Credentials.AccessKeyId, secret: stsData.Credentials.SecretAccessKey, protocol: 'wss', expires: 3600, region: 'eu-west-1' } ); url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken); console.log(url); context.succeed({url: url}); });};
此处提供的RoleArn具有以下策略:
The RoleArn provided here has the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1488299712000", "Effect": "Allow", "Action": [ "iot:*" ], "Resource": [ "*" ] } ]}
我在Polymer项目中将mqtt-elements用于前端代码. 我已经通过使用Mosquitto消息代理程序验证了它是否可以正常工作,并且Pub/Sub可以正常工作.
I am using mqtt-elements in a Polymer project for my frontend code. I have validated that this works correctly by using Mosquitto message broker and Pub/Sub works fine with it.
我已启用了将AWS IoT调试到CloudWatch中的功能.这是日志:
I have enabled debugging on AWS IoT into CloudWatch. Here is the log:
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS 2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430 2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR 2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430 2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR 2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430 2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS 2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430因此很明显,问题是授权之一.但是,我所担当的策略以及承担角色功能显然是非常宽松的,应启用到AWS IoT的消息发布和订阅.
So it's clear that the issue is one of Authorization. But the policies in my role + the assumeRole function are clearly very permissive and should enable Pub&Sub of messages to AWS IoT.
在此问题上,我将不胜感激.
I'd appreciate any information on this matter.
我也在AWS论坛上提出了此问题
推荐答案无法将STS用于IoT连接.在Websocket上使用MQTT的唯一方法是使用经过Cognito身份验证的身份.
It is not possible to use STS for an IoT connection. The only way to use MQTT over websockets is to use a Cognito authenticated identity.
更多推荐
无法通过Websocket使用MQTT在AWS IoT上发布或订阅
发布评论