Question

我可以使用MQTT over Websockets成功连接到AWS IoT。但是在发布或订阅时，连接将终止。我认为它必须是AWS的基于策略/权限的问题，但我相信我拥有正确的权限。这是我的设置：

我有一个lambda函数，它使用STS assumeRole创建一个签名的URL（策略中的权限会更严格但我允许访问所有资源上的所有iot函数进行测试）：

const config = require('./config');
const crypto = require('crypto');
const v4 = require('aws-signature-v4');
const async = require('async');
const util = require('util');
const AWS = require('aws-sdk');

exports.handler = function (event, context) {

var fail = function (err) {
    console.error(err);
    context.fail('Oops, something went wrong with your request');
};

const iot = new AWS.Iot();
const sts = new AWS.STS({region: 'eu-west-1'});
var params = {
    DurationSeconds: 3600,
    ExternalId: Date.now().toString(),
    Policy: JSON.stringify(
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "iot:*",
                    ],
                    "Resource": [
                        "*"
                    ]
                }
            ]
        }
    ),
    RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role",
    RoleSessionName: 'expo-' + Date.now()
};

sts.assumeRole(params, function(err, stsData) {
    if (err) {
        fail(err);
        return;
    }
    console.log(stsData);

    const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws.com';

    var url = v4.createPresignedURL(
        'GET',
        AWS_IOT_ENDPOINT_HOST,
        '/mqtt',
        'iotdata',
        crypto.createHash('sha256').update('', 'utf8').digest('hex'),
        {
            key: stsData.Credentials.AccessKeyId,
            secret: stsData.Credentials.SecretAccessKey,
            protocol: 'wss',
            expires: 3600,
            region: 'eu-west-1'
        }
    );
    url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken);
    console.log(url);

    context.succeed({url: url});

});

};

此处提供的RoleArn具有以下政策：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1488299712000",
        "Effect": "Allow",
        "Action": [
            "iot:*"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

我在Polymer项目中使用mqtt-elements作为我的前端代码。我已经通过使用Mosquitto消息代理和Pub / Sub可以正常工作来验证这是正常的。

我已启用AWS IoT上的调试到CloudWatch。这是日志：

2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS

2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR

2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR

2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430

2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS

2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430

所以很明显这个问题是授权问题之一。但是我的角色+ assumeRole函数中的策略显然非常宽松，并且应该将Pub＆amp; Sub消息启用到AWS IoT。

我很感激有关此事的任何信息。

编辑：我还有raised this issue on AWS Forums。

Answer 1

无法将STS用于物联网连接。在websockets上使用MQTT的唯一方法是使用Cognito身份验证身份。

AWS IoT上的Pub或Sub不能使用基于Websockets的MQTT

1 个答案: