使用Amazon Cognito访问AWS Iot的禁止异常 [英] Forbidden Exception on accessing AWS Iot using Amazon Cognito
问题描述
我正在创建一个使用Amazon Cognito身份验证连接到AWS IoT的android应用程序。我能够成功验证用户身份,并且能够获得凭据。
使用这些凭据更新事物影子时,始终返回403禁止的异常。我已经尝试了所有方法来解决问题,但没有找到解决方法。
我的IAM政策是:
{
版本: 2012-10-17,
声明:[
{
效果:允许,
操作:[
iot:GetThingShadow,
iot:UpdateThingShadow,
],
资源: [
arn:aws:iot:us-west-2:< my_account> ;:事物/神话名称
]
}
]
}
用于连接端点的Android代码:
userSession = AppHelper.getCurrSession();
凭据Provider =新的CognitoCachingCredentialsProvider(getApplicationContext(),POOL_ID,REGIONS);
Map< String,String> logins = new HashMap< String,String>();
logins.put( cognito-idp.us-west-2.amazonaws.com/user_pool_id,userSession.getIdToken()。getJWTToken());
凭据Provider.setLogins(登录);
iotDataClient =新的AWSIotDataClient(credentialsProvider);
iotDataClient.setEndpoint(ENDPOINT);
更新事物影子:
UpdateThingShadowRequest request =新的UpdateThingShadowRequest();
request.setThingName(thingName);
ByteBuffer payloadBuffer = ByteBuffer.wrap(updateState.getBytes());
request.setPayload(payloadBuffer);
UpdateThingShadowResult result = iotDataClient.updateThingShadow(request);
在这方面的任何帮助将不胜感激。
我遇到了与您相同的问题。我找到了解决方案。
403状态码表示您需要授权。
如果您阅读此文档(接近尾声):发布/订阅政策例如,它表明您需要 2条策略以使其与身份验证的Cognito用户一起使用。一个用于Cognito身份池,另一个用于Cognito用户。
不可能通过UI将策略附加到认知用户,但是您可以通过CLI来实现。
将策略附加到认知用户的命令是:
aws iot attach-principal-policy --principal认知用户id --policy-Name策略名称
您可以在以下位置找到认知用户ID : / p>
Cognito>经理联合身份>选择您的身份池>身份浏览器>并找到您的身份ID
我将此政策用于测试目的。
{
版本: 2012-10-17,
声明:[
{
效果:允许,
动作:[
iot:*
],
资源:[
*
]
}
]
}
要使其可重用,您需要使用
var AWS = require('aws-sdk');
var iot =新的AWS.Iot();
exports.handler =函数(事件,上下文,cb){
var params = {
policyName:您的策略,
主体:您的认知ID '
};
var out = iot.attachPrincipalPolicy(params,function(err,data){
if(err)cb(err);
else cb(null,data);
});
};
I am creating an android application which connects to AWS IoT using Amazon Cognito authentication. I am able to authenticate user successfully and I am able get the credentials. While updating the thing shadow using these credentials always return 403 Forbidden Exception. I have tried all my ways to troubleshoot the issue but I found no solutions.
My IAM Policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:GetThingShadow",
"iot:UpdateThingShadow",
],
"Resource": [
"arn:aws:iot:us-west-2:<my_account>:thing/mythingname"
]
}
]
}
Android code for connecting endpoint:
userSession= AppHelper.getCurrSession();
credentialsProvider=new CognitoCachingCredentialsProvider(getApplicationContext(),POOL_ID,REGIONS);
Map<String,String> logins=new HashMap<String, String>();
logins.put("cognito-idp.us-west-2.amazonaws.com/user_pool_id",userSession.getIdToken().getJWTToken());
credentialsProvider.setLogins(logins);
iotDataClient=new AWSIotDataClient(credentialsProvider);
iotDataClient.setEndpoint(ENDPOINT);
Updating thing shadow:
UpdateThingShadowRequest request=new UpdateThingShadowRequest();
request.setThingName(thingName);
ByteBuffer payloadBuffer=ByteBuffer.wrap(updateState.getBytes());
request.setPayload(payloadBuffer);
UpdateThingShadowResult result=iotDataClient.updateThingShadow(request);
Any help with this regard would be appreciated.
I had the same issue as you. I've found a solution.
That 403 status code mean that you need authorization.
If you read this documentation (near the end) : Publish/Subscribe Policy Exemple it's stated that you need 2 policies to make it work with Authenticated Cognito User. One for the Cognito Identity Pool and another for the Cognito User.
It's not possible to attach a policy to a cognito user with the UI, but you can do it through the CLI.
The command to attach a policy to a cognito user is :
aws iot attach-principal-policy --principal "cognito user id" --policy-Name "policy name"
You can find your cognito user id in :
Cognito > Manager Federated Identities > choose your identity pool > identity browser > and find your identity ID
I use this policy for testing purpose.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
To make it reusable, you need to use a lambda function (here in JavaScript).
var AWS = require('aws-sdk');
var iot = new AWS.Iot();
exports.handler = function(event, context, cb) {
var params = {
policyName: 'your policy',
principal: 'your cognito id'
};
var out = iot.attachPrincipalPolicy(params, function(err, data) {
if (err) cb(err);
else cb(null, data);
});
};
这篇关于使用Amazon Cognito访问AWS Iot的禁止异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!