AWS IoT:ForbiddenException:在浏览器中尝试 iotData.getThingShadow() 时禁止

AWS IoT: ForbiddenException: Forbidden when trying iotData.getThingShadow() in browser

我正在使用 Federated Cognito 凭证(Facebook 登录)将浏览器脚本上传到 EC2 以获取 ThingShadow(),但只得到 ForbiddenException: Forbidden

登录部分成功,我从 AWS.WebIdentityCredentials()

收到了凭据(非空)

cognito ID 是使用 CLI 手动授权的 (aws iot attach-principal-policy) Cognito_Auth_Rule 允许物联网:* 也

看起来我按照手册做了一切,仍然无法获取 iotData

http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IotData.html

请指教,不胜感激

谢谢

尼克

我附加到 Cognito_Auth_Rule 的 IAM 策略是:

            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "iot:*"
                        ],
                        "Resource": [
                            "*"
                        ]
                    }
                ]
            }

获取凭据

iotData.config.credentials = new AWS.WebIdentityCredentials({
    ProviderId: 'graph.facebook.com',
    RoleArn: roleArn,
    WebIdentityToken: response.authResponse.accessToken
});

我的代码

        var params = {
            thingName: 'thingName' /* required */
        };
        iotdata.getThingShadow(params, function (err, data) {
            if (err) {
                console.log(err, err.stack); // an error occurred
                iotResults.innerHTML = err;
            } else {
                console.log(data);           // successful response
                iotResults.innerHTML = data;
            }
        });

来自控制台的错误消息:

Error: Forbidden
    at Object.s [as extractError] (aws-sdk-2.7.20.min.js:37)
    at constructor.i (aws-sdk-2.7.20.min.js:37)
    at constructor.callListeners (aws-sdk-2.7.20.min.js:38)
    at constructor.emit (aws-sdk-2.7.20.min.js:38)
    at constructor.emitEvent (aws-sdk-2.7.20.min.js:37)
    at constructor.e (aws-sdk-2.7.20.min.js:37)
    at a.runTo (aws-sdk-2.7.20.min.js:39)
    at aws-sdk-2.7.20.min.js:39
    at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37)
    at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37) "ForbiddenException: Forbidden
    at Object.s [as extractError] (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:9704)
    at constructor.i (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:14284)
    at constructor.callListeners (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4687)
    at constructor.emit (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4396)
    at constructor.emitEvent (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23801)
    at constructor.e (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19651)
    at a.runTo (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11367)
    at https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11574
    at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19861)
    at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23856)"

IAM 策略没问题...但是您需要专门为该用户设置 IoT 策略...所以当创建用户时,或者现在当用户登录时...调用

let iot = new AWS.Iot(); iot.attachPrincipalPolicy(

您应该注意到该方法收到了 policyName,即策略的名称 "in IoT policies"(不在 IAM 策略中,因此请在 IoT 中复制您的策略)和主体,即 cognito 用户 ID

不够给IAM策略,还需要指定attachPrincipalPolicy

要像 OP 一样使用 iotdata.getThingShadow(); 方法通过浏览器读出 Thing Shadow,您需要附加一个 Principal Policy。

万一有人想知道,如何自动设置 UXDart 提到的 iot.attachPrincipalPolicy:

 cognitoIdentity.getId(params, function(err, data) {
        if (err) console.log(err, err.stack); // an error occurred
        else{
          cognitoId = data.IdentityId;

          console.log('Cognito ID: ' + cognitoId);

          var iot = new AWS.Iot();

          iot.listPrincipalPolicies({principal: cognitoId}, function(err, data) {
            if (err) console.log(err, err.stack); // an error occurred
            else{
              console.log(data);
              var found = false;
              for(var i = 0; i < data.policies.length; i++) {
                if (data.policies[i].policyName == 'your-iot-policy'){
                  found = true;
                  break;
                }
              }
              if(found == false){
                console.log("Versuche Policy einzutragen...")
                iot.attachPrincipalPolicy({policyName: 'your-iot-policy', principal: cognitoId}, function(err, data) {
                  if (err) console.log(err, err.stack); // an error occurred
                  else     console.log("Policy eingetragen!");           // successful response
                });
              }else console.log("Policy gefunden!");
            }
          });
        }
      });