无法使用基于 Websockets 的 MQTT 在 AWS IoT 上发布或订阅
Cannot Pub or Sub on AWS IoT using MQTT over Websockets
我可以通过 Websockets 使用 MQTT 成功连接到 AWS IoT。但是当发布或订阅时,连接被终止。我认为这一定是 AWS 的 policy/permissions-based 问题,但我确信我拥有正确的权限。
这是我的设置:
我有一个 lambda 函数,它使用 STS assumeRole 创建一个带符号的 url(策略中的权限会更严格,但我允许访问所有资源上的所有物联网函数以进行测试):
const config = require('./config');
const crypto = require('crypto');
const v4 = require('aws-signature-v4');
const async = require('async');
const util = require('util');
const AWS = require('aws-sdk');
exports.handler = function (event, context) {
var fail = function (err) {
console.error(err);
context.fail('Oops, something went wrong with your request');
};
const iot = new AWS.Iot();
const sts = new AWS.STS({region: 'eu-west-1'});
var params = {
DurationSeconds: 3600,
ExternalId: Date.now().toString(),
Policy: JSON.stringify(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*",
],
"Resource": [
"*"
]
}
]
}
),
RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role",
RoleSessionName: 'expo-' + Date.now()
};
sts.assumeRole(params, function(err, stsData) {
if (err) {
fail(err);
return;
}
console.log(stsData);
const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws.com';
var url = v4.createPresignedURL(
'GET',
AWS_IOT_ENDPOINT_HOST,
'/mqtt',
'iotdata',
crypto.createHash('sha256').update('', 'utf8').digest('hex'),
{
key: stsData.Credentials.AccessKeyId,
secret: stsData.Credentials.SecretAccessKey,
protocol: 'wss',
expires: 3600,
region: 'eu-west-1'
}
);
url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken);
console.log(url);
context.succeed({url: url});
});
};
此处提供的 RoleArn 具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1488299712000",
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
我在前端代码的 Polymer 项目中使用 mqtt-elements。
我已经通过使用 Mosquitto 消息代理验证了它可以正常工作并且 Pub/Sub 可以正常工作。
我已启用在 AWS IoT 上调试到 CloudWatch。这是日志:
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR
2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR
2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS
2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430
很明显问题是授权问题之一。但是我角色中的策略 + assumeRole 函数显然非常宽松,应该允许向 AWS IoT 发布和订阅消息。
如能提供有关此事的任何信息,我将不胜感激。
编辑:我也有 raised this issue on AWS Forums。
无法将 STS 用于 IoT 连接。通过 websockets 使用 MQTT 的唯一方法是使用 Cognito 身份验证。
我可以通过 Websockets 使用 MQTT 成功连接到 AWS IoT。但是当发布或订阅时,连接被终止。我认为这一定是 AWS 的 policy/permissions-based 问题,但我确信我拥有正确的权限。 这是我的设置:
我有一个 lambda 函数,它使用 STS assumeRole 创建一个带符号的 url(策略中的权限会更严格,但我允许访问所有资源上的所有物联网函数以进行测试):
const config = require('./config');
const crypto = require('crypto');
const v4 = require('aws-signature-v4');
const async = require('async');
const util = require('util');
const AWS = require('aws-sdk');
exports.handler = function (event, context) {
var fail = function (err) {
console.error(err);
context.fail('Oops, something went wrong with your request');
};
const iot = new AWS.Iot();
const sts = new AWS.STS({region: 'eu-west-1'});
var params = {
DurationSeconds: 3600,
ExternalId: Date.now().toString(),
Policy: JSON.stringify(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*",
],
"Resource": [
"*"
]
}
]
}
),
RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role",
RoleSessionName: 'expo-' + Date.now()
};
sts.assumeRole(params, function(err, stsData) {
if (err) {
fail(err);
return;
}
console.log(stsData);
const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws.com';
var url = v4.createPresignedURL(
'GET',
AWS_IOT_ENDPOINT_HOST,
'/mqtt',
'iotdata',
crypto.createHash('sha256').update('', 'utf8').digest('hex'),
{
key: stsData.Credentials.AccessKeyId,
secret: stsData.Credentials.SecretAccessKey,
protocol: 'wss',
expires: 3600,
region: 'eu-west-1'
}
);
url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken);
console.log(url);
context.succeed({url: url});
});
};
此处提供的 RoleArn 具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1488299712000",
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
我在前端代码的 Polymer 项目中使用 mqtt-elements。 我已经通过使用 Mosquitto 消息代理验证了它可以正常工作并且 Pub/Sub 可以正常工作。
我已启用在 AWS IoT 上调试到 CloudWatch。这是日志:
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR
2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR
2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS
2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430
很明显问题是授权问题之一。但是我角色中的策略 + assumeRole 函数显然非常宽松,应该允许向 AWS IoT 发布和订阅消息。
如能提供有关此事的任何信息,我将不胜感激。
编辑:我也有 raised this issue on AWS Forums。
无法将 STS 用于 IoT 连接。通过 websockets 使用 MQTT 的唯一方法是使用 Cognito 身份验证。