Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

What can be achieved by AttachThingPrincipal API when used with Cognito Identity?

0

Hi,

It is not quite clear in the documentation what can be achieved by using "AttachThingPrincipal" API with Cognito Identity. I know that by calling "AttachPolicy", I can attach IoT Policy to Cognito Identity to give it access to IoT Core.

Regarding "AttachThingPrincipal" the documentation states that:

You can use the AttachThingPrincipal API to attach certificates and authenticated Amazon Cognito identities to a thing. iot:Connection.Thing.ThingName is a useful thing policy variable to enforce client ID restrictions.

Does this mean that after attaching Cognito Identity to a Thing by using "AttachThingPrincipal" API, the Identity will be mapped to this Thing and ${iot:Connection.Thing.ThingName} set in policy attached to Cognito Identity will be resolved as Thing Name?

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
Amazon CognitoAWS IoT Core
Language
English
asked 3 years ago442 views
4 Answers
1
Accepted Answer

Yes, your understanding is correct. In order to be able to use the Thing Policy variables in the AWS IoT Policies, the principal (certificate or Cognito Identity) must have been associated with a Thing.

AWS
EXPERT
answered 3 years ago
EXPERT
reviewed 2 years ago
0

I've encountered an issue: After using AttachThingPrincipal to bind the Cognito user ID with a thing name, when the app initiates an MQTT topic subscription, it must use this thing name (client ID). Currently, our thing name is similar to the device-side client ID. In this situation, when the device side initiates a topic subscription, it can't use this client ID anymore. If it continues to use the thing name (client ID), it will kick off the app's MQTT subscription events. Are we using it incorrectly, or is there something we've misunderstood?

answered a year ago
  • K676
    a year ago

    This is expected behaviour. You cannot have the same multiple MQTT client IDs connecting to IoT at the same time. You could name your device client <ThingName> but you'd have to name your app client for example <ThingName-App-GUID>. You could use AttachPolicy API to attach Cognito identity to your IoT policy and handle permissions there (i.e. allow connections to <ThingName*>). Using AttachThingPrincipal makes it possible to use policy variables (i.e. evaluate client id for connections) but you still must obey the requirement to have unique client IDs.

0

"But I just want to make a Cognito user able to only see the topics uploaded by the device it is bound to, and not be able to subscribe to or see other topics."

answered a year ago
  • K676
    a year ago

    This is separate problem, so you should start a new question instead of asking a question in an answer box - you'd reach more people able to answer to you.

    But regardless - what you can do is:

    1. Create IoT policy that will limit actions to topics specific for your device
    2. Attach this policy to device certificate
    3. Use AttachPolicy API to attach this policy to your Cognito identity

    If you want this solution to be scalable and keep track of which Cognito user owns which device, you'd have to back it up with some automation and storage backend (Lambda, fleet provisioning, DynamoDB, API Gateway) depending on your use case, otherwise for testing or single use you can do it using AWS CLI or console.

    This may be a good lecture to start with: https://aws.amazon.com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/

0

What is the correct approach to limiting a Cognito user to only specific IOT things?

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content