I can successfully connect to AWS IoT using MQTT over Websockets. But when publishing or subscribing, the connection is terminated. I figure it must be a policy/permissions-based issue with AWS, but I am confident that I have the correct permissions. Here is my setup:
I have a lambda function which creates a signed url using STS assumeRole (permissions in policy will be tighter but I have allowed access to all iot functions on all resources for testing):
const config = require('./config');
const crypto = require('crypto');
const v4 = require('aws-signature-v4');
const async = require('async');
const util = require('util');
const AWS = require('aws-sdk');
exports.handler = function (event, context) {
var fail = function (err) {
console.error(err);
context.fail('Oops, something went wrong with your request');
};
const iot = new AWS.Iot();
const sts = new AWS.STS({region: 'eu-west-1'});
var params = {
DurationSeconds: 3600,
ExternalId: Date.now().toString(),
Policy: JSON.stringify(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*",
],
"Resource": [
"*"
]
}
]
}
),
RoleArn: "arn:aws:iam::ACC_ID:role/iot_websocket_url_role",
RoleSessionName: 'expo-' + Date.now()
};
sts.assumeRole(params, function(err, stsData) {
if (err) {
fail(err);
return;
}
console.log(stsData);
const AWS_IOT_ENDPOINT_HOST = 'MYENDPOINT.iot.eu-west-1.amazonaws.com';
var url = v4.createPresignedURL(
'GET',
AWS_IOT_ENDPOINT_HOST,
'/mqtt',
'iotdata',
crypto.createHash('sha256').update('', 'utf8').digest('hex'),
{
key: stsData.Credentials.AccessKeyId,
secret: stsData.Credentials.SecretAccessKey,
protocol: 'wss',
expires: 3600,
region: 'eu-west-1'
}
);
url += '&X-Amz-Security-Token=' + encodeURIComponent(stsData.Credentials.SessionToken);
console.log(url);
context.succeed({url: url});
});
};
The RoleArn provided here has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1488299712000",
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
I am using mqtt-elements in a Polymer project for my frontend code. I have validated that this works correctly by using Mosquitto message broker and Pub/Sub works fine with it.
I have enabled debugging on AWS IoT into CloudWatch. Here is the log:
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED/REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
2017-03-24 15:58:07.027 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Connect MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR
2017-03-24 15:58:07.059 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe TOPICNAME:doorLatch MESSAGE:Subscribe Status: AUTHORIZATION_ERROR
2017-03-24 15:58:07.068 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTTClient Subscribe MESSAGE: IpAddress: REDACTED SourcePort: 41430
2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE:Disconnect Status: SUCCESS
2017-03-24 15:58:07.069 TRACEID:REDACTED PRINCIPALID:REDACTED [INFO] EVENT:MQTT Client Disconnect MESSAGE: IpAddress: REDACTED SourcePort: 41430
So it's clear that the issue is one of Authorization. But the policies in my role + the assumeRole function are clearly very permissive and should enable Pub&Sub of messages to AWS IoT.
I'd appreciate any information on this matter.
Edit: I have also raised this issue on AWS Forums.
