AWS IoT-通过.Net,REST和证书访问影子 [英] AWS IoT - Access shadow through .Net, REST, with certificate
问题描述
尝试学习AWS IoT,我创建了一些事物" +一个策略,甚至可以使用IoT CLI来 列出事物 或 列表政策 .我什至可以通过CLI使用 update-thing 命令通过CLI更新阴影.但是一旦我尝试通过REST GET/POST请求(通过.Net程序或直接像 https://XXXXXXXXXXXXX.iot.us-west-2.amazonaws.com/things/mything/shadow ),我收到了
Trying to learn AWS IoT, I created a few "Things" + a Policy and I am even able to use IoT CLI to list-things or list-policies. I am even able to update the shadow through CLI with update-thing command through CLI. But once I try to access a Shadow through REST GET / POST request (through a .Net program or directly like https://XXXXXXXXXXXXX.iot.us-west-2.amazonaws.com/things/mything/shadow), I receive a
缺少身份验证令牌"
"Missing Authentication Token"
.因此,我开始使用证书.这是我的代码的一部分:
. So I started to use a certificate. Here is part of my code:
string Certificate = "xxxxxxxxx-certificate.crt"; // downloaded from my thing
X509Certificate cert = new X509Certificate(Certificate);
WebRequestHandler handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
HttpClient client = new HttpClient(handler);
// url = @"https://xxxxxxxxxxxxx.iot.us-west-2.amazonaws.com/things/<mything>/shadow";
HttpResponseMessage webResponse = client.GetAsync(url, HttpCompletionOption.ResponseContentRead).Result;
结果是:
状态码:403,原因短语:禁止",版本:1.1,内容:System.Net.Http.StreamContent,标头:
{
x-amzn-RequestId:25f3c1dc-9ddd-4787-a4cf-cb79dc96748b
连接:保持活动
x-amzn-ErrorType:ForbiddenException:
日期:2015年12月15日星期二08:53:56 GMT
内容长度:91
内容类型:application/json
}
StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
x-amzn-RequestId: 25f3c1dc-9ddd-4787-a4cf-cb79dc96748b
connection: Keep-Alive
x-amzn-ErrorType: ForbiddenException:
Date: Tue, 15 Dec 2015 08:53:56 GMT
Content-Length: 91
Content-Type: application/json
}
有帮助吗?
推荐答案
如果您要发布和/或订阅主题,则可以采用两种不同的方法.
If you want to publish and/or subscribe to topics, you can take two different approach.
- 对API端点的HTTPS调用.
- 使用您选择的任何受支持的AWS开发工具包(python,java,.NET等)或AWS CLI
对于缺少身份验证令牌"异常,您得到的原因是由于请求中没有身份验证令牌和特定于亚马逊的标头.为了使您的HTTPS请求正常工作,您可以使用rest客户端添加特定于Amazon的标头或编写程序.
For the "missing authentication token" exception you get is due to unavailability of authentication tokens and amazon specific headers in your request. To make your HTTPS request work, You either use a rest client to add amazon specific headers or write a program.
您应该尝试执行以下步骤以使https请求正常工作.
You should try doing the following steps to make your https requests to work.
有关详细步骤,请参考 http://docs .aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
For detailed steps, refer http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
任务1:创建规范请求
- 第1步是定义动词(GET,POST等)
- 第2步:创建规范URI.
- 第3步:创建规范查询字符串.
- 第4步:创建规范的标头和签名的标头.
- 第5步:创建已签名标头的列表.
- 第6步:创建有效负载哈希(请求主体内容的哈希)
- 第7步:组合元素以创建创建规范请求
任务2:创建要签名的字符串 使用SHA256算法,对规范请求进行哈希处理(使用任何编程语言/工具),然后创建一个字符串进行签名,如下所示:
TASK 2: CREATE THE STRING TO SIGN Using SHA256 algorithm, hash the canonical request (using any programming language/tools) and create a string to sign like below
string_to_sign = YourHashingAlgorithm +'\ n'+ CurrentDateInUTC +'\ n' + credential_scope +'\ n'+ yourHashedCanonicalRequest
string_to_sign = YourHashingAlgorithm + '\n' + CurrentDateInUTC+ '\n' + credential_scope + '\n' + yourHashedCanonicalRequest
AWS服务的
API由服务路径唯一标识.对于物联网,它是"iotdata/aws4_request" .因此,上述"string_to_sign"中的credential_scope应该类似于
API's to AWS services are uniquely identified by service paths. For IOT it is "iotdata/aws4_request". So your credential_scope in the above 'string_to_sign' should be like
credential_scope =日期戳+'/'+ us-west-2 +'/'+ iotdata +'/'+ 'aws4_request'
credential_scope = datestamp + '/' + us-west-2+ '/' + iotdata+ '/' + 'aws4_request'
任务3:计算签名
使用前面步骤中使用的相同算法来计算哈希.
Calculate the hash using the same algorithm used in previous steps.
有关更多详细信息,请参见上述链接.
Refer the above said link for more details.
任务4:向请求添加签名信息
TASK 4: ADD SIGNING INFORMATION TO THE REQUEST
在这里,您需要设置一些标头,例如"x-amz-date","Authorization","SignedHeaders"和"Signature".该签名标头将包含步骤3的最终值.
Here you need to set some of the headers like 'x-amz-date','Authorization', 'SignedHeaders' and 'Signature'. This Signature header will carry the final value of the Step 3.
注意:这些标头都不是可选的.每个HTTPS请求都应具有所有用于身份验证和授权的信息.其他AWS API会拒绝它.
Note: None of these headers are optional. Every HTTPS request should have all this information for authentication and authorization. Else AWS API will reject it.
您应该获得200 OK响应,以确保您的请求已得到实际处理.
You should get a 200 OK response to assure that your request is actually processed.
关于.Net方法,您可以尝试使用AWS的.NET SDK并尝试检查最终请求.我从未尝试直接在代码中使用x.509证书.我认为您在请求中缺少标题.
Coming to your .Net approach, you can try using AWS's .NET SDK and try inspecting the final request. I never tried using x.509 certificates directly in code. I think you are missing headers in your requests.
在cURL中,如下图所示
In cURL it would be something like below
卷曲" https://iot.amazonaws.com " \ -请求GET \ --form"Action = UpdateThing" \ --form"UserName = iam_user" \ --form"CertificateBody=@~/.aws/credentials/sample/cert.pem" \ --form"Version = 2010-05-08" \ --form" AUTHPARAMS "
curl "https://iot.amazonaws.com" \ --request GET \ --form "Action=UpdateThing" \ --form "UserName=iam_user" \ --form "CertificateBody=@~/.aws/credentials/sample/cert.pem" \ --form "Version=2010-05-08" \ --form "AUTHPARAMS"
希望这会有所帮助
这篇关于AWS IoT-通过.Net,REST和证书访问影子的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
