我正在使用联合Cognito凭据(Facebook登录)上传到EC2的getThingShadow()的浏览器脚本,但只获取ForbiddenException:Forbidden
登录部分成功,我收到来自AWS.WebIdentityCredentials()的凭证(非空)
使用CLI手动授权Cognito ID(aws iot attach-principal-policy) Cognito_Auth_Rule允许iot:* too
看起来我按照手册做了一切,仍然无法获得iotData
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IotData.html
请指教,非常感谢任何评论
由于
尼克
我在Cognito_Auth_Rule附带的IAM政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
获取凭据
iotData.config.credentials = new AWS.WebIdentityCredentials({
ProviderId: 'graph.facebook.com',
RoleArn: roleArn,
WebIdentityToken: response.authResponse.accessToken
});
我的代码
var params = {
thingName: 'thingName' /* required */
};
iotdata.getThingShadow(params, function (err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
iotResults.innerHTML = err;
} else {
console.log(data); // successful response
iotResults.innerHTML = data;
}
});
错误消息:
Error: Forbidden
at Object.s [as extractError] (aws-sdk-2.7.20.min.js:37)
at constructor.i (aws-sdk-2.7.20.min.js:37)
at constructor.callListeners (aws-sdk-2.7.20.min.js:38)
at constructor.emit (aws-sdk-2.7.20.min.js:38)
at constructor.emitEvent (aws-sdk-2.7.20.min.js:37)
at constructor.e (aws-sdk-2.7.20.min.js:37)
at a.runTo (aws-sdk-2.7.20.min.js:39)
at aws-sdk-2.7.20.min.js:39
at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37)
at constructor.<anonymous> (aws-sdk-2.7.20.min.js:37) "ForbiddenException: Forbidden
at Object.s [as extractError] (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:9704)
at constructor.i (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:14284)
at constructor.callListeners (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4687)
at constructor.emit (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:38:4396)
at constructor.emitEvent (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23801)
at constructor.e (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19651)
at a.runTo (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11367)
at https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:39:11574
at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:19861)
at constructor.<anonymous> (https://sdk.amazonaws.com/js/aws-sdk-2.7.20.min.js:37:23856)"
答案 0 :(得分:1)
IAM策略很好......但您需要专门为该用户设置IoT策略...所以当创建用户时,或者现在用户登录时... ...
let iot = new AWS.Iot();
iot.attachPrincipalPolicy(
你应该注意到这个方法收到了policyName,这是政策的名称&#34;在IoT政策中#34; (不是在IAM政策中,所以在IoT中复制您的政策)和主体,即认知用户ID
不足以提供IAM策略,您还需要指定attachPrincipalPolicy
答案 1 :(得分:0)
要使用OP正在使用的iotdata.getThingShadow();方法通过浏览器读出Thing Shadow,您需要附加一个主要政策。
如果有人想知道,如何自动设置UXDart提到的iot.attachPrincipalPolicy:
cognitoIdentity.getId(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else{
cognitoId = data.IdentityId;
console.log('Cognito ID: ' + cognitoId);
var iot = new AWS.Iot();
iot.listPrincipalPolicies({principal: cognitoId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else{
console.log(data);
var found = false;
for(var i = 0; i < data.policies.length; i++) {
if (data.policies[i].policyName == 'your-iot-policy'){
found = true;
break;
}
}
if(found == false){
console.log("Versuche Policy einzutragen...")
iot.attachPrincipalPolicy({policyName: 'your-iot-policy', principal: cognitoId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log("Policy eingetragen!"); // successful response
});
}else console.log("Policy gefunden!");
}
});
}
});