I’m trying to allow my cognito user to subscribe t...
# helpd
Daniel Gato
01/19/2022, 10:07 PMI’m trying to allow my cognito user to subscribe to IoT mqtt websocket. The connection keeps closing and I have this permissions:
Copy code
this.auth.attachPermissionsForAuthUsers([
api,
'iot:*',
// 'iot:Connect',
// 'iot:Subscribe',
// 'iot:Receive',
new iam.PolicyStatement({
actions: ['s3:*'],
effect: iam.Effect.ALLOW,
resources: [
`${uploadsBucket.bucketArn}/private/\${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*`,
],
}),
]);a
Adam Fanello
01/19/2022, 10:18 PMThat policy gives access to an S3 bucket, not MQTT.
Adam Fanello
01/19/2022, 10:18 PMDidn't I, in another thread, point you to a library that solves this? https://github.com/onicagroup/cargoplane/blob/master/cloud/lib/cargoplane-cloud.ts#L145
Adam Fanello
01/19/2022, 10:19 PMThe authenticated Cognito user calls a Lambda, which returns a credentials for the user.
d
Daniel Gato
01/19/2022, 10:46 PMYes, I checked it out, I’m trying to make it work with SST and CDK without external libraries and tools.
a
Adam Fanello
01/19/2022, 11:35 PMCopy and paste whatever is useful then.
d
Daniel Gato
01/20/2022, 12:31 AMI’m actually some steps further. I think I understand how it works now.
IoT Core needs me to attach a policy with for each user that will subscribe to my wss.
To do that, I can either use the CLI (not very useful) or a lambda with the identityId I get when a user makes a call.
None of the cognito triggers have the identityId.
But I can get that ID if my front end calls an API endpoint or -apparently but not confirmed - if the post confirm account trigger makes an API call to an API Gateway then it will setup the identityId (to be confirmed)
2 Views