5

之前也有过类似的问题,我搜索了很多,虽然我找到的答案并没有帮助我解决问题。

我正在尝试为我的 IoT 设备连接到 AWS 的 MQTT 代理,我正在通过 AWS Amplify 的 PubSub 库使用 MQTT over Web Sockets。身份验证也通过 Amplify 处理(是的,用户已成功通过身份验证)。当我尝试连接时,它会立即关闭并显示错误消息:

errorCode: 8, errorMessage: AMQJS0008I 套接字关闭。

我已经为身份池设置了 IAM 角色,并将 IoT 策略附加到经过身份验证的用户(使用从 Amplify 检索到的身份 ID)。

用于附加策略的命令: 

aws iot attach-principal-policy --policy-name "Air-RME-Users" --principal "ap-northeast-1:4f76a019-9f84-44f0-a23d-48357210016c"

任何帮助表示赞赏,谢谢!

CloudWatch物联网日志:

{
    "timestamp": "2018-07-05 04:00:42.998",
    "logLevel": "ERROR",
    "traceId": "<removed>",
    "accountId": "<removed>",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "4e900ea4-8f05-4022-98a8-c1b26280b2a2",
    "principalId": "<removed>:CognitoIdentityCredentials",
    "sourceIp": "<removed>",
    "sourcePort": 54641,
    "reason": "AUTHORIZATION_FAILURE"
}

Cognito 身份池策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect",
                "iot:Publish",
                "iot:Subscribe",
                "iot:Receive",
                "iot:GetThingShadow",
                "iot:UpdateThingShadow",
                "iot:DeleteThingShadow"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

物联网政策:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "arn:aws:iot:ap-northeast-1:<removed>:topic/*"
    }
  ]
}

测试代码:

import Amplify from 'aws-amplify';
import {AWSIoTProvider} from 'aws-amplify/lib/PubSub/Providers';

require('babel-polyfill');

global.app = function () {
  let user = null;
  const onBtn = document.getElementById("on");
  const offBtn = document.getElementById("off");

  Amplify.configure({
    Auth: {
      // REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
      identityPoolId: 'ap-northeast-1:<removed>',

      // REQUIRED - Amazon Cognito Region
      region: 'ap-northeast-1',

      // OPTIONAL - Amazon Cognito User Pool ID
      userPoolId: 'ap-northeast-1_<removed>',

      // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
      userPoolWebClientId: '<removed>',

      // OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
      mandatorySignIn: true,
    }
  });

  Amplify.addPluggable(new AWSIoTProvider({
    aws_pubsub_region: 'ap-northeast-1',
    aws_pubsub_endpoint: 'wss://<removed>.iot.ap-northeast-1.amazonaws.com/mqtt',
  }));

  process();

  async function process() {

    await Amplify.Auth.signIn("test@test.com", "Test1234567")
      .then(user => {
        console.log("ログインできました。")
        onBtn.style.visibility = "visible";
        offBtn.style.visibility = "visible";
        console.log(user);
        if (user.challengeName === "NEW_PASSWORD_REQUIRED") {
          const currentPassword = "Test123456";
          const newPassword = "Test1234567"

          user.completeNewPasswordChallenge(newPassword)
            .then(() => {
              // winning
            }).catch(error => {
            console.log(error);
          });
        }
      })
      .catch(err => {
        alert("ログインできませんでした。");
        console.log(err);
      });

    Amplify.Auth.currentCredentials().then((info) => {
      const cognitoIdentityId = info._identityId;
      console.log(cognitoIdentityId);
    });

    Amplify.PubSub.subscribe('$aws/things/Air-RME-test/shadow/get/accepted').subscribe({
      next: data => console.log('Message received', data),
      error: error => console.error(error),
      close: () => console.log('Done'),
    });
    Amplify.PubSub.publish('$aws/things/Air-RME-test/shadow/get', '');
  }
};

编辑:

在附加策略之前,将以下策略添加到经过身份验证的认知身份角色中解决了我的问题。我使用的 arn 也有问题,因此我将同时使用 * 通配符。将再次更新,一旦我得到它的工作。

政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:AttachPrincipalPolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
4

1 回答 1

3

因此,缺少一项政策。该策略必须附加到每个用户iot:AttachPrincipalPolicy 

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "iot:AttachPrincipalPolicy"
        ],
        "Resource": [
            "*"
        ]
    }
] }

目前,有两种方式,一种是通过 CLI,另一种是通过 AWS Lambda Function:

'use strict';

console.log('Loading function');
var AWS = require('aws-sdk');

exports.handler = (event, context, callback) => {
    console.log('Received event:', JSON.stringify(event, null, 2))
    event.Records.forEach((record) => {
        console.log(record.eventName);
        if (record.eventName == "INSERT") {
            console.log('DynamoDB Record:', JSON.stringify(record));
            console.log('DynamoDB Record:', record.dynamodb['Keys']['UserId']['S']);
            var user = record.dynamodb['Keys']['UserId']['S'];
            const iotMgmt = new AWS.Iot();
            return new Promise(function(resolve, reject) {
                let params = {
                    policyName: "basic",
                    principal: user
                };
                iotMgmt.attachPrincipalPolicy(params, (err, res) => {
                    console.log("Attaching IoT policy to " + user);
                    if (err) {
                        console.error(err);
                        reject(err);
                    }
                    else {
                        resolve();
                    }
                });
            });
        }

    });
};
于 2018-07-06T12:19:57.623 回答