Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IoT Connect with Cognito Authenticated users

0

Hi - I am trying to write a python test client that uses a verified and authenticated user to pub/sub on IoT Core. It is failing when trying to get the result() of the connect_future (to IoT). The failure is:

TRACE] [2024-01-11T14:33:26Z] [000000016b4fb000] [http-stream] - id=0x1119cfbd0: Incoming header: x-amzn-ErrorType: ResourceNotFoundException: [TRACE] [2024-01-11T14:33:26Z] [000000016b4fb000] [http-stream] - id=0x1119cfbd0: Incoming header: x-amzn-ErrorMessage: Identity '<REGION>:<IDENTITY POOL ID>' not found. [DEBUG] [2024-01-11T14:33:26Z] [000000016b4fb000] [http-stream] - id=0x1119cfbd0: Client request complete, response status: 400 (Bad Request). [DEBUG] [2024-01-11T14:33:26Z] [000000016b4fb000] [AuthCredentialsProvider] - (id=0x111974e20): GetCredentialsForIdentity call completed with http status 400

Clearly it can't find the Identity ID I am sending. I have tried with the users 'sub', I have tried with <region>:user sub. Neither worked. I have seen lots of posts on getting the right ID, but I cannot seem to find what it might be. Definitely not for lack of trying

My code snippet to create the provider is:

cognito_id_pool_endpoint = f"cognito-identity.{cmdData.input_signing_region}.amazonaws.com"
l = [('cognito-idp.us-east-1.amazonaws.com/{user pool id}', accesstoken)] THE USER POOL
provider = auth.AwsCredentialsProvider.new_cognito(
    endpoint=cognito_id_pool_endpoint,
    identity=identity_id, THIS IS THE ERRORED VALUE, I BELIEVE
    logins=l,
    tls_ctx=io.ClientTlsContext(io.TlsContextOptions()))

My code to use the provider is:

-- Create connection builder

mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
    endpoint=os.getenv('IOT_ENDPOINT'),
    region=os.getenv('IOT_REGION'),
    client_id=f'mydevice:{uuid.uuid4()}',
    on_connection_failure=on_connection_failure,
    credentials_provider=provider)

connect_future = mqtt_connection.connect()

connect_future.result() -- THIS IS THE EXCEPTION

Thank you!

Themen
Internet der Dinge (IoT)Sicherheit, Identität & Konformität
Tags
AWS IoT CoreAmazon CognitoAmazon Cognito Federated IdentitiesAmazon Cognito-Benutzergruppen
Sprache
English
james-mangold
gefragt vor 4 Monaten363 Aufrufe
1 Antwort
0
Akzeptierte Antwort

I actually found the solution to this after MANY hours of tracing and documentation. In all of the examples given to use Cognito authenticated identities with IoT Core pub/sub, there is one key API call left out:

id_client = boto3.client('cognito-identity')
id_response = id_client.get_id(
AccountId=os.getenv('AWS_ACCOUNT_ID'), -- AWS Account ID - I don't like this.
IdentityPoolId=os.getenv('COGNITO_IDENTITY_POOL_ID'), 
Logins={
    os.getenv('COGNITO_USER_POOL_URL'): idtoken --from initiate_auth authentication result
    }
)

identityId = id_response['IdentityId'] -- You need this for the call to new_cognito(...)

This call comes after initiate_auth(...) and before auth.AwsCredentialsProvider.new_cognito(...) identity kwarg

james-mangold
beantwortet vor 4 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt