Reputation: 1617
AWS IoT + Cognito Connection Flow
Based on the documentation, I understand how to create IoT things and also how to create authenticated users using AWS IoT. My question is geared towards how to effectively combine these services so that each user can access several of his or her devices securely.
Let's say Jane has just signed up for the platform and wants to connect her lightbulb device to her account. Let's also assume that her lightbulb device already has a certificate on it and a policy in IoT so that it can connect to the IoT platform and then publish and subscribe to a few topics. For the sake of simplicity, let's say that Jane can create this connection by simply making an API call named pairDevice which takes in a cognito identity (i.e. 59700b18-94c7-XXXX-857a-d820a68c0ec6) and a device serial number.
Basically I envision this function doing two things:
It will call "AttachPrincipalPolicy" that will link the policy associated with that lightbulb to the cognito user. Which I would assume at this point the cognito user would be able to publish and subscribe to topics for that particular lightbulb and only that lightbulb.
It would add a DynamoDB entry in the users account of the thing ARN so that way it can be easily referenced and queried later.
So if my understanding is correct I would have a policy like this for each of my devices in IoT (should they also publish and subscribe to topics with the the serial number too? I want to make sure that users cannot connect to devices they aren't allowed to obviously):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-west-1:123456789012:client/SerialNumber",
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"*"
]
}
]
}
And then I would simply attach this policy using AttachPrincipalPolicy to the cognito user? Do I need to have an explicit policy in Amazon Cognito identity pool for IoT Access, or is that linkage done specifically through AttachPrincipalPolicy?
Upvotes: 3
Views: 1319
Answers (1)
Reputation: 466
In order to authenticate an Amazon Cognito identity to publish MQTT messages over HTTP, you must specify two policies. The first policy must be attached to an Amazon Cognito identity pool role. This first policy is most likely the managed policy AWSIoTDataAccess.
The second policy must be attached to an Amazon Cognito user using the AWS IoT AttachPrincipalPolicy API.
An example application demonstrating this is:
https://github.com/awslabs/aws-iot-chat-example
For explicit instructions, you can read:
https://github.com/awslabs/aws-iot-chat-example/blob/master/docs/authentication.md
Upvotes: 2
Related Questions
- AWS Cognito network traffic flow related question
- AWS Cognito with AWS SSO
- connect to AWS IoT using web socket with Cognito authenticated users
- AWS Cognito and Websocket Api using Lambda Authorizer
- Integrating AWS Cognito with API for authentication
- cognito OAuth2 flow
- Connect gateway to AWS IoT
- AWS IoT websocket connection returns a 403
- AWS api gateway and cognito integration
- Controlling access to AWS IoT policy actions for Cognito identities