AWS IoT test-authorization missing context values

0

Hello,

This is tangentially related to my question here Permissions for IoT Things and Cognito User/Identity Pools. I am trying to understand why my IoT Core Policy isn't working as expected using aws iot test-authorization, but am getting this error: "missingContextValues": ["cognito-identity.amazonaws.com:sub" ].

Setup

  • I have cognito user ABC, with associated Identity ID us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb. This identity has the IoT Core Policy test-policy (defined below) attached to it. The identity pool ID is us-east-1:xxxxxxx-xxxx-xxxx-xxxx-fe1a9f14f96b.
  • IAM policy for the Identity Pool allows full access to iot:*
  • IoT Thing named TestThing w/the test-policy (defined below) attached to it.
  • IoT Core Policy (named test-policy):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:sub": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb"
        }
      }
    }
  ]
}

I am running this test:

aws iot test-authorization --principal us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb --cognito-identity-pool-id us-east-1:xxxxxxx-xxxx-xxxx-xxxx-fe1a9f14f96b --auth-infos actionType=CONNECT,resources=arn:aws:iot:us-east-1:xxxxxxxxxxxxxxxx:client/ABC

However, I am getting this response:

{
    "authResults": [
        {
            "authInfo": {
                "actionType": "CONNECT",
                "resources": [
                    "arn:aws:iot:us-east-1:xxxxxxxxxxxxx:client/ABC"
                ]
            },
            "allowed": {
                "policies": []
            },
            "denied": {
                "implicitDeny": {
                    "policies": [
                        {
                            "policyName": "test-policy",
                            "policyArn": "arn:aws:iot:us-east-1:xxxxxxxxxxxxx:policy/test-policy"
                        }
                    ]
                },
                "explicitDeny": {
                    "policies": []
                }
            },
            "authDecision": "IMPLICIT_DENY",
            "missingContextValues": [
                "cognito-identity.amazonaws.com:sub"
            ]
        }
    ]
}

I would expect this to pass, since the CONNECT action is allowed for everyone. My best guess is that the policy can't properly be evaluated because of the missingContextValues issue, so it returns a deny. When I test this with my Python script that logs the user in, retrieves credentials and connects to the MQTT server just fine.

Is there a way to provide this context value in the test-authorization call?

Thank you!

  • I believe your issue is that you are trying to use "cognito-identity.amazonaws.com:sub" which is an IAM policy level variable and not an IoT Policy level variable. IoT policy have no idea what "cognito-identity.amazonaws.com:sub" is and as far as the documentation goes it is not supported on IoT Policy level. Here are the variables that you can use in IoT Policy - https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions