使用Amazon Cognito访问AWS Iot的禁止异常 [英] Forbidden Exception on accessing AWS Iot using Amazon Cognito

问题描述

我正在创建一个使用Amazon Cognito身份验证连接到AWS IoT的android应用程序。我能够成功验证用户身份，并且能够获得凭据。
使用这些凭据更新事物影子时，始终返回403禁止的异常。我已经尝试了所有方法来解决问题，但没有找到解决方法。

我的IAM政策是：

  {
版本： 2012-10-17，
声明：[
 {
效果：允许，
操作：[
 iot：GetThingShadow，
 iot：UpdateThingShadow，
 
]，
资源： [
 arn：aws：iot：us-west-2：< my_account> ;:事物/神话名称 
] 
} 
] 
} 
  

用于连接端点的Android代码：

  userSession = AppHelper.getCurrSession（）; 
凭据Provider =新的CognitoCachingCredentialsProvider（getApplicationContext（），POOL_ID，REGIONS）; 
 
 Map< String，String> logins = new HashMap< String，String>（）; 
 logins.put（ cognito-idp.us-west-2.amazonaws.com/user_pool_id，userSession.getIdToken（）。getJWTToken（））; 
 
凭据Provider.setLogins（登录）; 
 iotDataClient =新的AWSIotDataClient（credentialsProvider）; 
 
 iotDataClient.setEndpoint（ENDPOINT）; 
  

更新事物影子：

  UpdateThingShadowRequest request =新的UpdateThingShadowRequest（）; 
 request.setThingName（thingName）; 
 
 ByteBuffer payloadBuffer = ByteBuffer.wrap（updateState.getBytes（））; 
 request.setPayload（payloadBuffer）; 
 
 UpdateThingShadowResult result = iotDataClient.updateThingShadow（request）; 
  

在这方面的任何帮助将不胜感激。

解决方案

我遇到了与您相同的问题。我找到了解决方案。

403状态码表示您需要授权。

如果您阅读此文档（接近尾声）：发布/订阅政策例如，它表明您需要 2条策略以使其与身份验证的Cognito用户一起使用。一个用于Cognito身份池，另一个用于Cognito用户。

不可能通过UI将策略附加到认知用户，但是您可以通过CLI来实现。

将策略附加到认知用户的命令是：

aws iot attach-principal-policy --principal认知用户id --policy-Name策略名称

您可以在以下位置找到认知用户ID ： / p>

Cognito>经理联合身份>选择您的身份池>身份浏览器>并找到您的身份ID

我将此政策用于测试目的。

  {
版本： 2012-10-17，
声明：[
 {
效果：允许，
动作：[
 iot：* 
]，
资源：[
 * 
] 
} 
] 
} 
  

要使其可重用，您需要使用

  var AWS = require（'aws-sdk'）;  
 var iot =新的AWS.Iot（）; 
 
exports.handler =函数（事件，上下文，cb）{
 var params = {
 policyName：您的策略，
主体：您的认知ID '
}; 
 
 var out = iot.attachPrincipalPolicy（params，function（err，data）{
 if（err）cb（err）; 
 else cb（null，data）; 
}）; 
}; 
  

I am creating an android application which connects to AWS IoT using Amazon Cognito authentication. I am able to authenticate user successfully and I am able get the credentials. While updating the thing shadow using these credentials always return 403 Forbidden Exception. I have tried all my ways to troubleshoot the issue but I found no solutions.

My IAM Policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:GetThingShadow",
                "iot:UpdateThingShadow",

            ],
            "Resource": [
               "arn:aws:iot:us-west-2:<my_account>:thing/mythingname"
            ]
        }
    ]
}

Android code for connecting endpoint:

userSession= AppHelper.getCurrSession();
credentialsProvider=new CognitoCachingCredentialsProvider(getApplicationContext(),POOL_ID,REGIONS);

    Map<String,String> logins=new HashMap<String, String>();
    logins.put("cognito-idp.us-west-2.amazonaws.com/user_pool_id",userSession.getIdToken().getJWTToken());

    credentialsProvider.setLogins(logins);
    iotDataClient=new AWSIotDataClient(credentialsProvider);

    iotDataClient.setEndpoint(ENDPOINT);

Updating thing shadow:

 UpdateThingShadowRequest request=new UpdateThingShadowRequest();
            request.setThingName(thingName);

            ByteBuffer payloadBuffer=ByteBuffer.wrap(updateState.getBytes());
            request.setPayload(payloadBuffer);

            UpdateThingShadowResult result=iotDataClient.updateThingShadow(request);

Any help with this regard would be appreciated.

解决方案

I had the same issue as you. I've found a solution.

That 403 status code mean that you need authorization.

If you read this documentation (near the end) : Publish/Subscribe Policy Exemple it's stated that you need 2 policies to make it work with Authenticated Cognito User. One for the Cognito Identity Pool and another for the Cognito User.

It's not possible to attach a policy to a cognito user with the UI, but you can do it through the CLI.

The command to attach a policy to a cognito user is :

aws iot attach-principal-policy --principal "cognito user id" --policy-Name "policy name"

You can find your cognito user id in :

Cognito > Manager Federated Identities > choose your identity pool > identity browser > and find your identity ID

I use this policy for testing purpose.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:*"
            ],
            "Resource": [
                "*"
            ]
        }
     ]
 }

To make it reusable, you need to use a lambda function (here in JavaScript).

var AWS = require('aws-sdk');
var iot = new AWS.Iot();

exports.handler = function(event, context, cb) {
    var params = {
        policyName: 'your policy',
        principal: 'your cognito id'
    };

    var out = iot.attachPrincipalPolicy(params, function(err, data) {
        if (err) cb(err);
        else cb(null, data); 
    });
};

这篇关于使用Amazon Cognito访问AWS Iot的禁止异常的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！