New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PubSub & IoT Policy: client connection not authorized if using aws_cognito_identity_pool_id #749

Closed
leantide opened this Issue Apr 27, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@leantide
Copy link

leantide commented Apr 27, 2018

I am using AWS Amplify : PubSub on my web client to connect and publish/subscribe to IoT messages. See https://aws.github.io/aws-amplify/media/pub_sub_guide.

As specified in the documentation link, I am able to connect/publish/subscribe for a particular authenticated Cognito user if I manually attach the Cognito Id of the user to the IoT Policy certificate using: aws iot attach-principal-policy --policy-name 'myIOTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>'.

But of course I cannot do this ahead of time for every potential Cognito user that may sign up.

I also observe in the documentation link that I can also use the aws_cognito_identity_pool_id as a generic way of attaching the entire Cognito pool to the IoT Policy, but unfortunately this did not work for me.

Is there a solution that would allow any Cognito user within the pool to access my IoT? Is there something missing in the documentation?

@leantide

This comment has been minimized.

Copy link

leantide commented Apr 28, 2018

I observe that Amplify PubSub can access IoT for non-authorized users (given the Federated Pool is configured to provide access to AWS resources for unauthorized users). So things work as long as the user doesn't log in.

I observe that Amplify PubSub can access IoT for authorized users if the IoT Policy has the authorized users cognito attached to it. But the attachment is a manual process. And even if it was automated in some Lambda somehow, do we really want 100,000 user ids attached to the IoT policy?

I presently do not see any way that PubSub can be used for a generic PubSub for users that have logged into the app. I would think this is a fundamental use case more than the previous two use case.

Or am I missing something?

@leantide

This comment has been minimized.

Copy link

leantide commented Apr 30, 2018

Answer from AWS Support:

Currently, you need to create a policy for each authenticated Cognito principal, or let all users share the unauthenticated Cognito access (with access defined in your pool policy).

As you've probably seen, the overall idea of this use case is similar to the diagram here where specific users can access their IoT devices over a mobile app:
https://docs.aws.amazon.com/iot/latest/developerguide/cognito-identities.html

Since AWS IoT does support hundreds of thousands or even many millions of devices (each with its own device certificate identity attached to policies), it's OK to attach the Cognito identities too.

@Jun711

This comment has been minimized.

Copy link

Jun711 commented Aug 23, 2018

hi @leantide, I wonder if you could elaborate on this line: let all users share the unauthenticated Cognito access (with access defined in your pool policy).

thank you

@kirkryan

This comment has been minimized.

Copy link

kirkryan commented Oct 28, 2018

It would be great if someone could show an example from start to finish as I've been stuck on this for days making no progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment