Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
PubSub & IoT Policy: client connection not authorized if using aws_cognito_identity_pool_id #749
I am using AWS Amplify : PubSub on my web client to connect and publish/subscribe to IoT messages. See https://aws.github.io/aws-amplify/media/pub_sub_guide.
As specified in the documentation link, I am able to connect/publish/subscribe for a particular authenticated Cognito user if I manually attach the Cognito Id of the user to the IoT Policy certificate using: aws iot attach-principal-policy --policy-name 'myIOTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>'.
But of course I cannot do this ahead of time for every potential Cognito user that may sign up.
I also observe in the documentation link that I can also use the aws_cognito_identity_pool_id as a generic way of attaching the entire Cognito pool to the IoT Policy, but unfortunately this did not work for me.
Is there a solution that would allow any Cognito user within the pool to access my IoT? Is there something missing in the documentation?
I observe that Amplify PubSub can access IoT for non-authorized users (given the Federated Pool is configured to provide access to AWS resources for unauthorized users). So things work as long as the user doesn't log in.
I observe that Amplify PubSub can access IoT for authorized users if the IoT Policy has the authorized users cognito attached to it. But the attachment is a manual process. And even if it was automated in some Lambda somehow, do we really want 100,000 user ids attached to the IoT policy?
I presently do not see any way that PubSub can be used for a generic PubSub for users that have logged into the app. I would think this is a fundamental use case more than the previous two use case.
Or am I missing something?
Answer from AWS Support:
Currently, you need to create a policy for each authenticated Cognito principal, or let all users share the unauthenticated Cognito access (with access defined in your pool policy).
As you've probably seen, the overall idea of this use case is similar to the diagram here where specific users can access their IoT devices over a mobile app:
Since AWS IoT does support hundreds of thousands or even many millions of devices (each with its own device certificate identity attached to policies), it's OK to attach the Cognito identities too.