无法使用基于 Websockets 的 MQTT 在 AWS IoT 上发布或订阅

Cannot Pub or Sub on AWS IoT using MQTT over Websockets

我可以通过 Websockets 使用 MQTT 成功连接到 AWS IoT。但是当发布或订阅时,连接被终止。我认为这一定是 AWS 的 policy/permissions-based 问题,但我确信我拥有正确的权限。 这是我的设置:

我有一个 lambda 函数,它使用 STS assumeRole 创建一个带符号的 url(策略中的权限会更严格,但我允许访问所有资源上的所有物联网函数以进行测试):

const config = require('./config');
const crypto = require('crypto');
const v4 = require('aws-signature-v4');
const async = require('async');
const util = require('util');
const AWS = require('aws-sdk');

exports.handler = function (event, context) {

var fail = function (err) {
    console.error(err);
    context.fail('Oops, something went wrong with your request');
};

const iot = new AWS.Iot();
const sts = new AWS.STS({region: 'eu-west-1'});
var params = {
    DurationSeconds: 3600,
    ExternalId: Date.now().toString(),
    Policy: JSON.stringify(
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "iot:*",
                    ],
                    "Resource": [
                        "*"
                    ]
                }
            ]
        }
    ),
    RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role",
    RoleSessionName: 'expo-' + Date.now()
};

sts.assumeRole(params, function(err, stsData) {
    if (err) {
        fail(err);
        return;
    }
    console.log(stsData);

    const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws.com';

    var url = v4.createPresignedURL(
        'GET',
        AWS_IOT_ENDPOINT_HOST,
        '/mqtt',
        'iotdata',
        crypto.createHash('sha256').update('', 'utf8').digest('hex'),
        {
            key: stsData.Credentials.AccessKeyId,
            secret: stsData.Credentials.SecretAccessKey,
            protocol: 'wss',
            expires: 3600,
            region: 'eu-west-1'
        }
    );
    url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken);
    console.log(url);

    context.succeed({url: url});

});

};

此处提供的 RoleArn 具有以下策略:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1488299712000",
        "Effect": "Allow",
        "Action": [
            "iot:*"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

我在前端代码的 Polymer 项目中使用 mqtt-elements。 我已经通过使用 Mosquitto 消息代理验证了它可以正常工作并且 Pub/Sub 可以正常工作。

我已启用在 AWS IoT 上调试到 CloudWatch。这是日志:

2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS

2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR

2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR

2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS

2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430

很明显问题是授权问题之一。但是我角色中的策略 + assumeRole 函数显然非常宽松,应该允许向 AWS IoT 发布和订阅消息。

如能提供有关此事的任何信息,我将不胜感激。

编辑:我也有 raised this issue on AWS Forums

无法将 STS 用于 IoT 连接。通过 websockets 使用 MQTT 的唯一方法是使用 Cognito 身份验证。