- Newest
- Most votes
- Most comments
Hi Adrian,
in your code your subscribe to the topic xyz but your policy allows only to subscribe to the topic server. You don't need the client-resource in the publish or subscribe actions. You can find some sample IoT policies at https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html. Might be our blog about using standard MQTT libraries with AWS IoT Core can also provide some guidance for you.
Cheers,
Philipp
It seems that your AWS Lambda authorizer configuration might be the source of the issue. Your authorizer is configured to allow the "iot:Subscribe" action on specific resources, including the topic "server", but it does not explicitly allow subscription to the "xyz" topic, which your client is subscribing to.
To fix this, you should add an explicit permission for subscribing to the "xyz" topic in your authorizer's policy document. Here's how you can modify your policy document:
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"*",
"arn:aws:iot:*:*:client/*",
"arn:aws:iot:*:*:topicfilter/server",
"arn:aws:iot:*:*:topicfilter/xyz" // Add this line to allow subscription to the "xyz" topic
]
}
After updating your authorizer's policy document, redeploy it and retry your MQTT client code. This should resolve the issue and allow your client to receive messages from the "xyz" topic.
Hey everybody, thanks for your answers and leading me to further inspect the permissions returned from the Lambda function authorizer.
Here's the policy I'm now returning and that finally works:
module.exports.handler = async (event, _, callback) => {
return ({
isAuthenticated: true,
principalId: 'Unauthenticated',
policyDocuments: [
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:*:*:client/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:*:*:topicfilter/xyz"
]
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:*:*:topic/xyz"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:*:*:topic/xyz"
]
}
]
}
],
disconnectAfterInSeconds: 3600,
refreshAfterInSeconds: 300
});
};
The thing I was actually missing was the last iot:Receive
action:
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:*:*:topic/xyz"
]
}
I saw this in the https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html article that Philipp shared. So I decided to mark his reply as the answer to my question. 😉
Thanks again guys for providing help!
Cheers! 🍻🍻
Relevant content
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 years ago