Hello,
This is tangentially related to my question here Permissions for IoT Things and Cognito User/Identity Pools. I am trying to understand why my IoT Core Policy isn't working as expected using aws iot test-authorization, but am getting this error: "missingContextValues": ["cognito-identity.amazonaws.com:sub" ].
Setup
- I have cognito user ABC, with associated Identity ID
us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb. This identity has the IoT Core Policy test-policy (defined below) attached to it. The identity pool ID is us-east-1:xxxxxxx-xxxx-xxxx-xxxx-fe1a9f14f96b.
- IAM policy for the Identity Pool allows full access to
iot:*
- IoT Thing named TestThing w/the
test-policy (defined below) attached to it.
- IoT Core Policy (named
test-policy):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "*",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:sub": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb"
}
}
}
]
}
I am running this test:
aws iot test-authorization --principal us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb --cognito-identity-pool-id us-east-1:xxxxxxx-xxxx-xxxx-xxxx-fe1a9f14f96b --auth-infos actionType=CONNECT,resources=arn:aws:iot:us-east-1:xxxxxxxxxxxxxxxx:client/ABC
However, I am getting this response:
{
"authResults": [
{
"authInfo": {
"actionType": "CONNECT",
"resources": [
"arn:aws:iot:us-east-1:xxxxxxxxxxxxx:client/ABC"
]
},
"allowed": {
"policies": []
},
"denied": {
"implicitDeny": {
"policies": [
{
"policyName": "test-policy",
"policyArn": "arn:aws:iot:us-east-1:xxxxxxxxxxxxx:policy/test-policy"
}
]
},
"explicitDeny": {
"policies": []
}
},
"authDecision": "IMPLICIT_DENY",
"missingContextValues": [
"cognito-identity.amazonaws.com:sub"
]
}
]
}
I would expect this to pass, since the CONNECT action is allowed for everyone. My best guess is that the policy can't properly be evaluated because of the missingContextValues issue, so it returns a deny. When I test this with my Python script that logs the user in, retrieves credentials and connects to the MQTT server just fine.
Is there a way to provide this context value in the test-authorization call?
Thank you!
AWS公式更新しました 1年前
I believe your issue is that you are trying to use "cognito-identity.amazonaws.com:sub" which is an IAM policy level variable and not an IoT Policy level variable. IoT policy have no idea what "cognito-identity.amazonaws.com:sub" is and as far as the documentation goes it is not supported on IoT Policy level. Here are the variables that you can use in IoT Policy - https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html