无法通过Websocket使用MQTT在AWS IoT上发布或订阅 [英] Cannot Pub or Sub on AWS IoT using MQTT over Websockets

问题描述

我可以使用Websockets上的MQTT成功连接到AWS IoT.但是，在发布或订阅时，连接会终止.我认为这一定是AWS的基于策略/权限的问题，但我相信自己拥有正确的权限. 这是我的设置:

I can successfully connect to AWS IoT using MQTT over Websockets. But when publishing or subscribing, the connection is terminated. I figure it must be a policy/permissions-based issue with AWS, but I am confident that I have the correct permissions. Here is my setup:

我有一个lambda函数，可以使用STS假定角色创建一个签名的url(策略权限会更严格，但是我允许访问所有资源上的所有IoT函数以进行测试):

I have a lambda function which creates a signed url using STS assumeRole (permissions in policy will be tighter but I have allowed access to all iot functions on all resources for testing):

const config = require('./config');
const crypto = require('crypto');
const v4 = require('aws-signature-v4');
const async = require('async');
const util = require('util');
const AWS = require('aws-sdk');

exports.handler = function (event, context) {

var fail = function (err) {
    console.error(err);
    context.fail('Oops, something went wrong with your request');
};

const iot = new AWS.Iot();
const sts = new AWS.STS({region: 'eu-west-1'});
var params = {
    DurationSeconds: 3600,
    ExternalId: Date.now().toString(),
    Policy: JSON.stringify(
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "iot:*",
                    ],
                    "Resource": [
                        "*"
                    ]
                }
            ]
        }
    ),
    RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role",
    RoleSessionName: 'expo-' + Date.now()
};

sts.assumeRole(params, function(err, stsData) {
    if (err) {
        fail(err);
        return;
    }
    console.log(stsData);

    const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws.com';

    var url = v4.createPresignedURL(
        'GET',
        AWS_IOT_ENDPOINT_HOST,
        '/mqtt',
        'iotdata',
        crypto.createHash('sha256').update('', 'utf8').digest('hex'),
        {
            key: stsData.Credentials.AccessKeyId,
            secret: stsData.Credentials.SecretAccessKey,
            protocol: 'wss',
            expires: 3600,
            region: 'eu-west-1'
        }
    );
    url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken);
    console.log(url);

    context.succeed({url: url});

});

};

此处提供的RoleArn具有以下策略:

The RoleArn provided here has the following policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1488299712000",
        "Effect": "Allow",
        "Action": [
            "iot:*"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

我在Polymer项目中将mqtt-elements用于前端代码. 我已经通过使用Mosquitto消息代理程序验证了它是否可以正常工作，并且Pub/Sub可以正常工作.

I am using mqtt-elements in a Polymer project for my frontend code. I have validated that this works correctly by using Mosquitto message broker and Pub/Sub works fine with it.

我已启用了将AWS IoT调试到CloudWatch中的功能.这是日志:

I have enabled debugging on AWS IoT into CloudWatch. Here is the log:

2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS

2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR

2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR

2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS

2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430

因此很明显，问题是授权之一.但是，我所担当的策略以及承担角色功能显然是非常宽松的，应启用到AWS IoT的消息发布和订阅.

So it's clear that the issue is one of Authorization. But the policies in my role + the assumeRole function are clearly very permissive and should enable Pub&Sub of messages to AWS IoT.

在此问题上，我将不胜感激.

I'd appreciate any information on this matter.

我也在AWS论坛上提出了此问题

推荐答案

无法将STS用于IoT连接.在Websocket上使用MQTT的唯一方法是使用经过Cognito身份验证的身份.

It is not possible to use STS for an IoT connection. The only way to use MQTT over websockets is to use a Cognito authenticated identity.

这篇关于无法通过Websocket使用MQTT在AWS IoT上发布或订阅的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！