无法使用工作证书使用 aws-iot-device-sdk-v2 连接 JavaScript

Question

我可以使用旧版本的 JavaScript SDK 毫无问题地进行连接，但是当 运行 the pub_sub sample:

时，v2 会产生以下错误

events.js:353
      throw er; // Unhandled 'error' event
      ^

CrtError: Failed to connect: libaws-c-mqtt: AWS_ERROR_MQTT_UNEXPECTED_HANGUP, The connection was closed unexpectedly.
    at /Users/calebbrewer/dev/node-sandbox/node_modules/aws-iot-device-sdk-v2/node_modules/aws-crt/dist/native/mqtt.js:333:36
    at processTicksAndRejections (internal/process/task_queues.js:77:11)
Emitted 'error' event on MqttClientConnection instance at:
    at MqttClientConnection.emit (/Users/calebbrewer/dev/node-sandbox/node_modules/aws-iot-device-sdk-v2/node_modules/aws-crt/dist/common/event.js:75:22)
    at /Users/calebbrewer/dev/node-sandbox/node_modules/aws-iot-device-sdk-v2/node_modules/aws-crt/dist/native/mqtt.js:333:22
    at processTicksAndRejections (internal/process/task_queues.js:77:11) {
  error: 'Failed to connect: libaws-c-mqtt: AWS_ERROR_MQTT_UNEXPECTED_HANGUP, The connection was closed unexpectedly.',
  error_code: undefined,
  error_name: undefined
}

我使用“Create things”工作流通过控制台手动配置了我的证书。

任何关于如何进一步调试此问题的想法将不胜感激 - 我遇到了麻烦！

编辑 我在我的 CloudWatch 日志中发现了以下错误，其中一些值被截断了：

{
  "timestamp": "2021-09-02 16:27:13.163",
  "logLevel": "INFO",
  "traceId": "93d42145-31af-ed6c-7f16-80031602970c",
  "accountId": "$AWS_ACCOUNT_ID",
  "status": "Success",
  "eventType": "Subscribe",
  "protocol": "MQTT",
  "topicName": "topic_1",
  "clientId": "caleb-test",
  "principalId": "f....2",
  "sourceIp": "7...2",
  "sourcePort": 40494
}

复制我对这件事的政策，因为它正在攻击云，这让我想知道这是否会导致问题：

{

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive",
        "iot:RetainPublish"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/sdk/test/java",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/sdk/test/Python",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/topic_1",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/topic_2"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/sdk/test/java",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/sdk/test/Python",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/topic_1",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/topic_2"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:client/sdk-java",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:client/basicPubSub",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:client/sdk-nodejs-*"
      ]
    }
  ]
}

Answer 1

看起来政策的 iot:Connect 声明中定义的资源是罪魁祸首：唯一需要的资源是实际的客户端本身。以下政策为我解决了这个问题：

{

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive",
        "iot:RetainPublish"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/sdk/test/java",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/sdk/test/Python",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/topic_1",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topic/topic_2"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/sdk/test/java",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/sdk/test/Python",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/topic_1",
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:topicfilter/topic_2"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:$AWS_ACCOUNT_ID:client/caleb-test"
      ]
    }
  ]
}