AWS IoT:ForbiddenException:在浏览器中尝试 iotData.getThingShadow() 时禁止
AWS IoT: ForbiddenException: Forbidden when trying iotData.getThingShadow() in browser
我正在使用 Federated Cognito 凭证(Facebook 登录)将浏览器脚本上传到 EC2 以获取 ThingShadow(),但只得到 ForbiddenException: Forbidden
登录部分成功,我从 AWS.WebIdentityCredentials()
收到了凭据(非空)
cognito ID 是使用 CLI 手动授权的 (aws iot attach-principal-policy)
Cognito_Auth_Rule 允许物联网:* 也
看起来我按照手册做了一切,仍然无法获取 iotData
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IotData.html
请指教,不胜感激
谢谢
尼克
我附加到 Cognito_Auth_Rule 的 IAM 策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
获取凭据
iotData.config.credentials = new AWS.WebIdentityCredentials({
ProviderId: 'graph.facebook.com',
RoleArn: roleArn,
WebIdentityToken: response.authResponse.accessToken
});
我的代码
var params = {
thingName: 'thingName' /* required */
};
iotdata.getThingShadow(params, function (err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
iotResults.innerHTML = err;
} else {
console.log(data); // successful response
iotResults.innerHTML = data;
}
});
来自控制台的错误消息:
Error: Forbidden
at Object.s [as extractError] (aws-sdk-2.7.20.min.js:37)
at constructor.i (aws-sdk-2.7.20.min.js:37)
at constructor.callListeners (aws-sdk-2.7.20.min.js:38)
at constructor.emit (aws-sdk-2.7.20.min.js:38)
at constructor.emitEvent (aws-sdk-2.7.20.min.js:37)
at constructor.e (aws-sdk-2.7.20.min.js:37)
at a.runTo (aws-sdk-2.7.20.min.js:39)
at aws-sdk-2.7.20.min.js:39
at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37)
at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37) "ForbiddenException: Forbidden
at Object.s [as extractError] (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:9704)
at constructor.i (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:14284)
at constructor.callListeners (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4687)
at constructor.emit (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4396)
at constructor.emitEvent (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23801)
at constructor.e (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19651)
at a.runTo (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11367)
at https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11574
at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19861)
at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23856)"
IAM 策略没问题...但是您需要专门为该用户设置 IoT 策略...所以当创建用户时,或者现在当用户登录时...调用
let iot = new AWS.Iot();
iot.attachPrincipalPolicy(
您应该注意到该方法收到了 policyName,即策略的名称 "in IoT policies"(不在 IAM 策略中,因此请在 IoT 中复制您的策略)和主体,即 cognito 用户 ID
不够给IAM策略,还需要指定attachPrincipalPolicy
要像 OP 一样使用 iotdata.getThingShadow(); 方法通过浏览器读出 Thing Shadow,您需要附加一个 Principal Policy。
万一有人想知道,如何自动设置 UXDart 提到的 iot.attachPrincipalPolicy:
cognitoIdentity.getId(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else{
cognitoId = data.IdentityId;
console.log('Cognito ID: ' + cognitoId);
var iot = new AWS.Iot();
iot.listPrincipalPolicies({principal: cognitoId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else{
console.log(data);
var found = false;
for(var i = 0; i < data.policies.length; i++) {
if (data.policies[i].policyName == 'your-iot-policy'){
found = true;
break;
}
}
if(found == false){
console.log("Versuche Policy einzutragen...")
iot.attachPrincipalPolicy({policyName: 'your-iot-policy', principal: cognitoId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log("Policy eingetragen!"); // successful response
});
}else console.log("Policy gefunden!");
}
});
}
});
我正在使用 Federated Cognito 凭证(Facebook 登录)将浏览器脚本上传到 EC2 以获取 ThingShadow(),但只得到 ForbiddenException: Forbidden
登录部分成功,我从 AWS.WebIdentityCredentials()
收到了凭据(非空)cognito ID 是使用 CLI 手动授权的 (aws iot attach-principal-policy) Cognito_Auth_Rule 允许物联网:* 也
看起来我按照手册做了一切,仍然无法获取 iotData
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IotData.html
请指教,不胜感激
谢谢
尼克
我附加到 Cognito_Auth_Rule 的 IAM 策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
获取凭据
iotData.config.credentials = new AWS.WebIdentityCredentials({
ProviderId: 'graph.facebook.com',
RoleArn: roleArn,
WebIdentityToken: response.authResponse.accessToken
});
我的代码
var params = {
thingName: 'thingName' /* required */
};
iotdata.getThingShadow(params, function (err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
iotResults.innerHTML = err;
} else {
console.log(data); // successful response
iotResults.innerHTML = data;
}
});
来自控制台的错误消息:
Error: Forbidden
at Object.s [as extractError] (aws-sdk-2.7.20.min.js:37)
at constructor.i (aws-sdk-2.7.20.min.js:37)
at constructor.callListeners (aws-sdk-2.7.20.min.js:38)
at constructor.emit (aws-sdk-2.7.20.min.js:38)
at constructor.emitEvent (aws-sdk-2.7.20.min.js:37)
at constructor.e (aws-sdk-2.7.20.min.js:37)
at a.runTo (aws-sdk-2.7.20.min.js:39)
at aws-sdk-2.7.20.min.js:39
at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37)
at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37) "ForbiddenException: Forbidden
at Object.s [as extractError] (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:9704)
at constructor.i (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:14284)
at constructor.callListeners (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4687)
at constructor.emit (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4396)
at constructor.emitEvent (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23801)
at constructor.e (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19651)
at a.runTo (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11367)
at https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11574
at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19861)
at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23856)"
IAM 策略没问题...但是您需要专门为该用户设置 IoT 策略...所以当创建用户时,或者现在当用户登录时...调用
let iot = new AWS.Iot();
iot.attachPrincipalPolicy(
您应该注意到该方法收到了 policyName,即策略的名称 "in IoT policies"(不在 IAM 策略中,因此请在 IoT 中复制您的策略)和主体,即 cognito 用户 ID
不够给IAM策略,还需要指定attachPrincipalPolicy
要像 OP 一样使用 iotdata.getThingShadow(); 方法通过浏览器读出 Thing Shadow,您需要附加一个 Principal Policy。
万一有人想知道,如何自动设置 UXDart 提到的 iot.attachPrincipalPolicy:
cognitoIdentity.getId(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else{
cognitoId = data.IdentityId;
console.log('Cognito ID: ' + cognitoId);
var iot = new AWS.Iot();
iot.listPrincipalPolicies({principal: cognitoId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else{
console.log(data);
var found = false;
for(var i = 0; i < data.policies.length; i++) {
if (data.policies[i].policyName == 'your-iot-policy'){
found = true;
break;
}
}
if(found == false){
console.log("Versuche Policy einzutragen...")
iot.attachPrincipalPolicy({policyName: 'your-iot-policy', principal: cognitoId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log("Policy eingetragen!"); // successful response
});
}else console.log("Policy gefunden!");
}
});
}
});