https://serverless-stack.com/ logo
#help
Title
# help
d

Daniel Gato

01/19/2022, 10:07 PM
I’m trying to allow my cognito user to subscribe to IoT mqtt websocket. The connection keeps closing and I have this permissions:
Copy code
this.auth.attachPermissionsForAuthUsers([
      api,
      'iot:*',
      // 'iot:Connect',
      // 'iot:Subscribe',
      // 'iot:Receive',
      new iam.PolicyStatement({
        actions: ['s3:*'],
        effect: iam.Effect.ALLOW,
        resources: [
          `${uploadsBucket.bucketArn}/private/\${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*`,
        ],
      }),
    ]);
Am I missing something here?
a

Adam Fanello

01/19/2022, 10:18 PM
That policy gives access to an S3 bucket, not MQTT.
Didn't I, in another thread, point you to a library that solves this? https://github.com/onicagroup/cargoplane/blob/master/cloud/lib/cargoplane-cloud.ts#L145
The authenticated Cognito user calls a Lambda, which returns a credentials for the user.
d

Daniel Gato

01/19/2022, 10:46 PM
Yes, I checked it out, I’m trying to make it work with SST and CDK without external libraries and tools.
a

Adam Fanello

01/19/2022, 11:35 PM
Copy and paste whatever is useful then.
d

Daniel Gato

01/20/2022, 12:31 AM
I’m actually some steps further. I think I understand how it works now. IoT Core needs me to attach a policy with for each user that will subscribe to my wss. To do that, I can either use the CLI (not very useful) or a lambda with the identityId I get when a user makes a call. None of the cognito triggers have the identityId. But I can get that ID if my front end calls an API endpoint or -apparently but not confirmed - if the post confirm account trigger makes an API call to an API Gateway then it will setup the identityId (to be confirmed)
2 Views