I'm trying to connect to AWS IoT using web socket from the browser.
I've tried this example:
https://github.com/awslabs/aws-iot-examples/tree/master/mqttSample
And another one a little bit modfied so it can be used with Cognito Identity pool logged users.
https://github.com/dwyl/learn-aws-iot/blob/master/src/js/utils/request.js#L27
I can successfully connect if I use a IAM user with a valid IoT policy, but if I use the user credentials, I receive a "101 Switching Protocols" response but then it gets closed.
The IAM role associated with the authenticated user is correct, and I can sign requests and perform other private operations like calling APIG endpoints. Also the socket connection does not respond with 403. So it's likely not a permissions problem.
What else could it be?
For unauthenticated cognito identities the "Identity pool anauthenticated" role is sufficient to allow connecting to the IoT MQTT broker. However for authenticated cognito identities two things are required:
The "Identity pool authenticated" role must allow access to the IoT actions you require (e.g. connect, publish etc).
You must attach an IoT policy (exactly like the ones that are attached to your devices) to the cognito identity using the AttachPrincipalPolicy API
Step 2 is where I was stuck earlier today as it was not particularly clear anywhere that this was required.
AFAIK there is no way to attach the IoT policy to a cognito user from any of the AWS web sites. However if you have the AWS command line interface setup on your machine you can do it from there. The command looks like:
aws iot attach-principal-policy --policy-name <iot-policy-name> --principal <cognito-identity-id>
The cognito identity id can be found using the Federated Identities > Your Pool > Identity browser or you could also find it in the responses to your CognitoIdentityCredentials.get call. It looks like this us-east-1:ba7cef62-f3eb-5be2-87e5-fffbdeed2824
For a production system you'll obviously want to automate attaching this policy, probably using a lambda function on user signup.
The section of the docs that talks about needing to attach the IoT policy can be found on this page:
For an authenticated Amazon Cognito identity to publish MQTT messages over HTTP on topic1 in your AWS account, you must specify two policies, as outlined here. The first policy must be attached to an Amazon Cognito identity pool role and allow identities from that pool to make a publish call. The second policy is attached to an Amazon Cognito user using the AWS IoT AttachPrincipalPolicy API and allows the specified Amazon Cognito user access to the topic1 topic.
In order to implement Caleb's answer on the front-end, I had to do a couple things:
Create an IoT policy (named "default") by going to IoT Console > Security > Policies and copying and pasting the AWSIoTDataAccess policy contents into it
Add the following inline policy to my Cognito Identity Pool's authenticated role: {"Effect": "Allow", "Action": ["iot:AttachPrincipalPolicy"], "Resource": ["*"]
Then I updated my front-end code to look like:
AWS.config.region = process.env.AWS_REGION;
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: process.env.AWS_IDENTITY_POOL,
Logins: {
'graph.facebook.com': FACEBOOK_ACCESS_TOKEN
}
});
AWS.config.credentials.get(() => {
const IoT = new AWS.Iot();
IoT.attachPrincipalPolicy({
policyName: 'default',
principal: AWS.config.credentials.identityId
}, (err, res) => {
if (err) console.error(err);
// Connect to AWS IoT MQTT
});
});
Here is a code sample to attach an IoT policy to a Cognito user id from a Lambda (NodeJS) function.
function attachPrincipalPolicy(device_id, cognito_user_id) {
const iotMgmt = new AWS.Iot();
return new Promise(function(resolve, reject) {
let params = {
policyName: device_id + '_policy',
principal: cognito_user_id
};
console.log("Attaching IoT policy to Cognito principal")
iotMgmt.attachPrincipalPolicy(params, (err, res) => {
if (err) {
console.error(err);
reject(err);
} else {
resolve();
}
});
});
}
I refered to the answers of Caleb and senornestor, and the following implementation worked for me:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: AWSConfiguration.poolId,
Logins: {
'accounts.google.com': user.Zi.id_token
}
});
var cognitoIdentity = new AWS.CognitoIdentity();
AWS.config.credentials.get(function(err, data) {
if (!err) {
console.log('retrieved identity: ' + AWS.config.credentials.identityId);
var params = {
IdentityId: AWS.config.credentials.identityId,
Logins: {
"accounts.google.com": user.Zi.id_token
}
};
cognitoIdentity.getCredentialsForIdentity(params, function(err, data) {
if (!err) {
console.log('retrieved credentials');
const IoT = new AWS.Iot();
IoT.attachPrincipalPolicy({
policyName: 'exampleIoTPolicy',
principal: AWS.config.credentials.identityId
}, (err, res) => {
if (err) console.error(err);
}); // Change the "policyName" to match your IoT Policy
} else {
console.log('error retrieving credentials: ' + err);
alert('error retrieving credentials: ' + err);
}
});
} else {
console.log('error retrieving identity:' + err);
alert('error retrieving identity: ' + err);
}
});
Here is an example application that should help demonstrate how to authenticate IoT with Cognito:
https://github.com/awslabs/aws-iot-chat-example
For explicit instructions, you can read:
https://github.com/awslabs/aws-iot-chat-example/blob/master/docs/authentication.md
It turns out, even in 2021, it is necessary to create a dedicated Lambda function that does the AttachPolicy (not AttachPrincipalPolicy because it is obsolete). As stated in the official Docs:
To attach an AWS IoT Core policy to a Amazon Cognito Identity, you must define a Lambda function that calls AttachPolicy.
The other answers showed how to implement that Lambda.
Related
I'm looking at using AWS Pinpoint to send push notifications to my react native app. However it seems that unauthenticated users are able to update user attributes for any user they wish, ie there is no access control. I'm new to mobile development, but isn't putting stuff like that into the frontend a security issue? If it were a web application, people would be able to inspect network calls to obtain credentials and make any call they wish to updateEndpoint. Is this not applicable to mobile apps or am I misunderstanding something?
Details:
There's a step in the setup that says Edit the IAM policy document for unauthenticated identities to allow permissions for the mobiletargeting:PutEvents and mobiletargeting:UpdateEndpoint actions
And react native code snippet provided goes as follows:
import Analytics from '#aws-amplify/analytics';
import Auth from '#aws-amplify/auth';';
const amplifyConfig = {
Auth: {
identityPoolId: 'COGNITO_IDENTITY_POOL_ID',
region: 'ap-south-1'
}
}
//Initialize Amplify
Auth.configure(amplifyConfig);
const analyticsConfig = {
AWSPinpoint: {
// Amazon Pinpoint App Client ID
appId: 'cd73a57d200e49e2bc4b97d6ebf63cd4',
// Amazon service region
region: 'ap-south-1',
mandatorySignIn: false,
}
}
Analytics.configure(analyticsConfig)
Analytics.updateEndpoint({
attributes: {
interests: ['science', 'politics', 'travel'],
//..
},
userId: 'UserIdValue',
userAttributes: {
username: 'ilovethecloud'
}
});
I'm not sure if this will help,
But you have 2 IAM policies (in Cognito Identity-pool), 1 for authenticated users and 1 for unauth. users.
You should restrict the IAM policy for unauth users, so they can't edit other users info.
Also, the credentials that you are given by Cognito, are temporal, they expire (and get renewed by your react-native app), so in that way you are safe.
I'm working on a node/express backend for an app. The authentication process is already setup with Auth0 and passport. But we need to use AWS now...
I've followed these docs and successfully tested the custom endpoint referenced at the end of the article: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html
but from here I'd like to connect to a identity pool in order to access AWS services. I keep getting errors, and though I can see the users in the AWS 'user pool', they aren't showing up in AWS 'identity pool'.
i was calling AWS using:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: IDENTITY_POOL_ID,
Logins: {
"cognito-idp.<region>.amazonaws.com/<user-pool-id>":
id_token_from_provider,
},
})
the main error I keep getting is that the 'login token is invalid: issuer doesn't match the provider id'.
Any help is appreciated...
after some more digging: found this nice walkthrough by Auth0, https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps
I've skipped the user pool integration and am just using cognito for the 'identity pools'
my credentials map changed some as well:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: "IDENTITY_POOL_ID",
Logins: {
"<PROVIDER_NAME_FROM_IAM": id_token,
},
})
I faced a problem when a user has signed up but doesn't want to confirm his email. The solution is to delete an unconfirmed user from AWS Cognito.
So as I don't know his password, I am trying to write a Lambda function which I will trigger through API Gateway. This lambda should remove Cognito user.
I wrote this code but it doesn't work.
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
apiVersion: '2016-03-18',
});
var params = {
UserPoolId: 'us-east-1_123456',
Username: 'user#mail.com' // I want to remove this user
};
cognitoidentityserviceprovider.adminDeleteUser(params, function (err, data) {
if (err) {
callback(err, err.stack);
} else {
callback(data);
}
});
I get an error:
user is not authorized to perform ...
Because of security, I don't want to set my admin credentials on frontend part and I want to do all work in this lambda... How to do it?
Any ideas?
Any solutions to prevent this problem?
You can assign a role to the lambda function and make a call to cognito api without passing any argument to the library you use to access aws services, that way the credential provider would fallback to the assumed role and have the lambda execution role's identity.
Usually roles are the way to go with amazon related authorizations.
Btw, this means that you have to create an iam role, a policy with the right cognito actions allowed and attach it to said role.
const cisp = new CognitoIdentityServiceProvider({ apiVersion: '2016-04-18' })
cisp.adminDeleteUser().promise() //delete current user as admin
You would think two of Amazon's products would integrate nicely together. You'd also think that Amazon would have proper documentation on their services. Both are horribly wrong.
I'm using Account Linking with Alexa and using AWS Cognito as my oauth provider. I am able to successfully link my account just fine, and with every subsequent alexa invocation I get an access token returned back to me. Now what?
I need to be able to access other AWS services such as dynamo, lambda, and iot from my alexa lambda function. Thought it would be as easy as something like this:
var accessToken = event.session.user.accessToken;
var params = {
IdentityPoolId: "{identity_pool_id}",
Logins : {
'cognito-idp.us-east-1.amazonaws.com/{user_pool_id}' : accessToken
}
};
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials(params);
AWS.config.credentials.get(function(err) {
if (err) {
console.log(err);
} else {
console.log('success');
console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
}
});
But of course it's not that simple. Can anyone help me out?
You need to assign appropriate "Policies" for the created "Role" under IAM. All of the AWS services works on policy based access permissions and these must be explicitly attached with the IAM role for that role to be able to access/run the underlying service on the behalf of that user role.
In summary you need to assign policies from IAM related to "IOT", "DynamoDB", "Lambda", etc.
Good day,
I've got an API setup, it's sitting behind AWS's APIGateway, secured with IAM, in this case it's a Cognito Federated ID pool.
I have the following code:
function doFacebookLogin() {
FB.login(function (response) {
fbAuthToken = response.authResponse.accessToken;
doFetchProfile();
}, {scope: 'public_profile,email', return_scopes: true});
}
function doFetchProfile() {
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:*****************************',
Logins: {
'graph.facebook.com': fbAuthToken
}
});
// Obtain AWS credentials
AWS.config.credentials.get(function () {
apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId,
secretKey: AWS.config.credentials.secretAccessKey,
sessionToken: AWS.config.credentials.sessionToken,
region: 'eu-west-1'
});
apigClient.userProfileGet({
'x-fb-access-token': fbAuthToken
}).then(function (data) {
console.log(data);
});
});
}
Right now, I'm sending the Facebook AccessToken in the header, because my server (sitting behind the AWS APIGateway) needs access to the user's facebook profile data.
I was hoping that by simply signing into the Cognito Federated ID pool, using the Facebook provider, would be enough to have AWS's APIGateway SDK pass the accessToken (in some form or another) along with every request.
It doesn't seem to be the case, I can't find a way to extract the Facebook data I need without sending the AccessToken in the header as per the example above.
Am I wrong in my understanding of what should happen?
Thanks for the help in advance :)
If you're server behind API Gateway needs the Facebook access token to access some Facebook APIs, then yes you'll always need to pass the Facebook access token through in API GW.
The Cognito federated login allows you to exchange a Facebook token for AWS credentials for accessing AWS-protected services.