Using AWS IoT Core policy variables won't work (Cognito)

[tivaliy]

• I've searched for previous similar issues and didn't find any solution

Platform/OS/Device
macOS Catalina, python3.8

Describe the question
I faced with a weird behaviour using SDK and policy variables. The problem is that when I use AWS IoT Core policy variables then I'm not able to even connect to IoT Service.

Steps:

1. Create a thing in AWS IoT Registry, e.g. dummy (without any certificates).
2. Create a policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:XXXXXXXX:client/${iot:Connection.Thing.ThingName}"
      ]
    }
  ]
}

3. Attach a principal to the policy.
4. Configure IAM roles.
5. ...

Then I'm trying to connect:

mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
    endpoint=host,
    client_bootstrap=client_bootstrap,
    region='us-east-1',
    credentials_provider=credentials_provider,
    websocket_proxy_options=None,
    ca_filepath=path_to_file,
    on_connection_interrupted=on_connection_interrupted,
    on_connection_resumed=on_connection_resumed,
    client_id='dummy',
    clean_session=False,
    keep_alive_secs=6)

connect_future = mqtt_connection.connect()
connect_future.result()

with the following result:

AwsCrtError: AwsCrtError(name='AWS_ERROR_MQTT_UNEXPECTED_HANGUP', message='The connection was closed unexpectedly.', code=5134)

However, when I change the policy document to a "hardcoded" thing name value (dummy) it works:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:XXXXXXXX:client/dummy"
      ]
    }
  ]
}

[jmklix]

Could you explain step 4 more. I attempted to reproduce the same error you're getting, but I was unable to. It might be on my end, because I changed an already working pub_sub and might have forgotten to change something.

[tivaliy]

@jmklix, I forgot to specify that I'm using Cognito User Pools to communicate with AWS IoT Core. So on the step 4 I'm adding AWS IoT-specific permission (AWSIoTDataAccess in particular) to the IAM role policy for the authenticated pool. And here is my credentials_provider:

credentials_provider = auth.AwsCredentialsProvider.new_static(access_key_id, secret_access_key, session_token=session_token)

[jmklix]

I'm still a little confused about how you set this up. Did you follow this guide or are you generating a session token like shown here?

[tivaliy]

Yeah, in my case I use approach that is similar to the first link you've provided, here is some code snippets using boto3 for auth flow:

import boto3

# CognitoIdentityProvider
cognito_idp_client = boto3.client('cognito-idp')

auth_data = {'USERNAME': 'some@user.com', 'PASSWORD': 'not-a-secret', 'SECRET_HASH': 'some-secret-hash-value'}
app_client_id = "6aXXXXXXXXXXXXXXX"

response = cognito_idp_client.initiate_auth(AuthFlow='USER_PASSWORD_AUTH', AuthParameters=auth_data, ClientId=app_client_id)
id_token = response['AuthenticationResult']['IdToken']

# CognitoIdentity
cognito_identity_client = boto3.client('cognito-identity')

cognito_idp = 'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXXXXX'
identity_pool_id = 'us-east-1:a01e51c1-XXXX-XXXX-XXXX-XXXXXXXXXXXX'

response = cognito_identity_client.get_id(IdentityPoolId=identity_pool_id, Logins={cognito_idp: id_token})
identity_id = response['IdentityId']

response = cognito_identity_client.get_credentials_for_identity(IdentityId=identity_id, Logins={cognito_idp: id_token})

access_key_id, secret_access_key, session_token = response['Credentials']['AccessKeyId'], response['Credentials']['SecretKey'], response['Credentials']['SessionToken']

Now let's connect to AWS IoT.
FYI:

1. AWS IoT-specific permission already attached (AWSIoTDataAccess in particular) to the IAM role policy for the authenticated pool
2. Pre-created IoT policy was attached to the principal, i.e.: aws iot attach-principal-policy --policy-name 'demo-policy' --principal 'us-east-1:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'

...
client_id = 'dummy'
credentials_provider = auth.AwsCredentialsProvider.new_static(access_key_id, secret_access_key, session_token=session_token)
...
# Prepare data for mqtt_connection_builder
...
...
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
    endpoint=host,
    client_bootstrap=client_bootstrap,
    region='us-east-1',
    credentials_provider=credentials_provider,
    websocket_proxy_options=None,
    ca_filepath=path_to_root,
    on_connection_interrupted=on_connection_interrupted,
    on_connection_resumed=on_connection_resumed,
    client_id=client_id,
    clean_session=False,
    keep_alive_secs=6)
connect_future = mqtt_connection.connect()
connect_future.result()

and the result is :

AwsCrtError: AwsCrtError(name='AWS_ERROR_MQTT_UNEXPECTED_HANGUP', message='The connection was closed unexpectedly.', code=5134)

However it will work if I specify policy in the following manner (with explicit client_id value rather then policy variable)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:XXXXXXXX:client/dummy"
      ]
    }
  ]
}

Even more if I will create a policy with Cognito Identity Id policy variable ${cognito-identity.amazonaws.com:sub} I will be able to connect to AWS IoT with client_id equals to Cognito Identity value:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:149117197771:client/${cognito-identity.amazonaws.com:sub}"
      ]
    }
  ]
}

[jmklix]

Sorry for the slow response, but I haven't been able to get it working. I have also noticed that we don't currently support the v2 sdk's with Cognito yet. I will change this to a feature request so we can make sure to update you when we implement it.