Using AWS IoT Core policy variables won't work (Cognito)

[tivaliy]

• I've searched for previous similar issues and didn't find any solution

Platform/OS/Device
macOS Catalina, python3.8

Describe the question
I faced with a weird behaviour using SDK and policy variables. The problem is that when I use AWS IoT Core policy variables then I'm not able to even connect to IoT Service.

Steps:

1. Create a thing in AWS IoT Registry, e.g. dummy (without any certificates).
2. Create a policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:XXXXXXXX:client/${iot:Connection.Thing.ThingName}"
      ]
    }
  ]
}

3. Attach a principal to the policy.
4. Configure IAM roles.
5. ...

Then I'm trying to connect:

mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
    endpoint=host,
    client_bootstrap=client_bootstrap,
    region='us-east-1',
    credentials_provider=credentials_provider,
    websocket_proxy_options=None,
    ca_filepath=path_to_file,
    on_connection_interrupted=on_connection_interrupted,
    on_connection_resumed=on_connection_resumed,
    client_id='dummy',
    clean_session=False,
    keep_alive_secs=6)

connect_future = mqtt_connection.connect()
connect_future.result()

with the following result:

AwsCrtError: AwsCrtError(name='AWS_ERROR_MQTT_UNEXPECTED_HANGUP', message='The connection was closed unexpectedly.', code=5134)

However, when I change the policy document to a "hardcoded" thing name value (dummy) it works:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:XXXXXXXX:client/dummy"
      ]
    }
  ]
}

[jmklix]

Could you explain step 4 more. I attempted to reproduce the same error you're getting, but I was unable to. It might be on my end, because I changed an already working pub_sub and might have forgotten to change something.

[tivaliy]

@jmklix, I forgot to specify that I'm using Cognito User Pools to communicate with AWS IoT Core. So on the step 4 I'm adding AWS IoT-specific permission (AWSIoTDataAccess in particular) to the IAM role policy for the authenticated pool. And here is my credentials_provider:

credentials_provider = auth.AwsCredentialsProvider.new_static(access_key_id, secret_access_key, session_token=session_token)

[jmklix]

I'm still a little confused about how you set this up. Did you follow this guide or are you generating a session token like shown here?

[tivaliy]

Yeah, in my case I use approach that is similar to the first link you've provided, here is some code snippets using boto3 for auth flow:

import boto3

# CognitoIdentityProvider
cognito_idp_client = boto3.client('cognito-idp')

auth_data = {'USERNAME': '[email protected]', 'PASSWORD': 'not-a-secret', 'SECRET_HASH': 'some-secret-hash-value'}
app_client_id = "6aXXXXXXXXXXXXXXX"

response = cognito_idp_client.initiate_auth(AuthFlow='USER_PASSWORD_AUTH', AuthParameters=auth_data, ClientId=app_client_id)
id_token = response['AuthenticationResult']['IdToken']

# CognitoIdentity
cognito_identity_client = boto3.client('cognito-identity')

cognito_idp = 'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXXXXX'
identity_pool_id = 'us-east-1:a01e51c1-XXXX-XXXX-XXXX-XXXXXXXXXXXX'

response = cognito_identity_client.get_id(IdentityPoolId=identity_pool_id, Logins={cognito_idp: id_token})
identity_id = response['IdentityId']

response = cognito_identity_client.get_credentials_for_identity(IdentityId=identity_id, Logins={cognito_idp: id_token})

access_key_id, secret_access_key, session_token = response['Credentials']['AccessKeyId'], response['Credentials']['SecretKey'], response['Credentials']['SessionToken']

Now let's connect to AWS IoT.
FYI:

1. AWS IoT-specific permission already attached (AWSIoTDataAccess in particular) to the IAM role policy for the authenticated pool
2. Pre-created IoT policy was attached to the principal, i.e.: aws iot attach-principal-policy --policy-name 'demo-policy' --principal 'us-east-1:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'

...
client_id = 'dummy'
credentials_provider = auth.AwsCredentialsProvider.new_static(access_key_id, secret_access_key, session_token=session_token)
...
# Prepare data for mqtt_connection_builder
...
...
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
    endpoint=host,
    client_bootstrap=client_bootstrap,
    region='us-east-1',
    credentials_provider=credentials_provider,
    websocket_proxy_options=None,
    ca_filepath=path_to_root,
    on_connection_interrupted=on_connection_interrupted,
    on_connection_resumed=on_connection_resumed,
    client_id=client_id,
    clean_session=False,
    keep_alive_secs=6)
connect_future = mqtt_connection.connect()
connect_future.result()

and the result is :

AwsCrtError: AwsCrtError(name='AWS_ERROR_MQTT_UNEXPECTED_HANGUP', message='The connection was closed unexpectedly.', code=5134)

However it will work if I specify policy in the following manner (with explicit client_id value rather then policy variable)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:XXXXXXXX:client/dummy"
      ]
    }
  ]
}

Even more if I will create a policy with Cognito Identity Id policy variable ${cognito-identity.amazonaws.com:sub} I will be able to connect to AWS IoT with client_id equals to Cognito Identity value:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-east-1:149117197771:client/${cognito-identity.amazonaws.com:sub}"
      ]
    }
  ]
}

[jmklix]

Sorry for the slow response, but I haven't been able to get it working. I have also noticed that we don't currently support the v2 sdk's with Cognito yet. I will change this to a feature request so we can make sure to update you when we implement it.

[github-actions]

Greetings! Sorry to say but this is a very old issue that is probably not getting as much attention as it deservers. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to open a new one.

[sverraest]

Any update on this issue? We're facing the same.

[n8o]

https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name

[bretambrose]

The SDKs do not have any control over policy variables, checking, or substitution. This would be a question better suited for the AWS forums or a support contact.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.