我创建了一个包含Cognito Authenticated User Pool的应用。为了连接AWS IoT,我已将以下IAM角色策略附加到Cognito_UserPoolAuth_Role;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": "*"
}
]
}
此外,我已将主要政策(每个用户的Cognito身份)附加到AWS IoT中的IoT设备策略。物联网设备政策的一般格式如下;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": `arn:aws:iot:${region}:${accountId}:client/${certificateId}`
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": `arn:aws:iot:${region}:${accountId}:topic/${foo/bar/${certificateId}}/*`
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe",
],
"Resource": `arn:aws:iot:${region}:${accountId}:topicfilter/${foo/bar/${certificateId}}/#`
}
]
}
iOS中的Websocket代码;
self.iotDataManager.connectUsingWebSocket( withClientId: UUID().uuidString, cleanSession:true, statusCallback: self.mqttEventCallback(_:))
问题是,如果IoT Device Policy的Connect Reosurce仍然如上所述,来自iOS App的Websocket Connection会不断给出以下错误;
MQTT session error, code: 2
closing encoder stream.
closing decoder stream.
MQTT session closed.
Trying to reconnect to session.
Websocket did open and is Connected.
streamsThread is still running. Waiting for it to exit.
Signaling runloopSemaphore
Initializing MQTTEncoder and MQTTDecoder streams
opening encoder stream.
opening decoder stream.
MQTTEncoderStatus = 0
MQTTSessionStatus = 0
WebSocket closed with code:1001 with reason:Stream end encountered
如果我在Connect Resource中进行了以下调整,如下所示,则连接Websocket。
"Resource": [
"arn:aws:iot: ${region}:${accountId}:client/${certificateId}”,
"arn:aws:iot: :${region}:${accountId}:client/${iot:ClientId}"
]
}
这种方式足够安全吗?因为它接受任何拥有证书的clientID。有没有办法从App连接AWS IoT Websocket,而无需在物联网策略的Connect Resource中添加$ {iot:ClientId}?