Exchanging AWS Cognito token to get AWS temporary credentials for publishing to AWS IoT Core MQTT topic

[Vijay-Karthick]

Hi,

I'm able to login using my Cognito user credentials and get access token successfully. How do I use the credentials object returned from SRP auth flow to create AWS IoT client object? I'm thinking there has to be a way to get temporary access key ID, secret access key and access token using the token that I get from Cognito, right?

On a different path, I've been able to use my access key ID, secret access key and access token that I generated for an admin user in my account to successfully publish to AWS IoT core topics. However, I'm looking to achieve the same using credentials obtained from my Cognito user pool.

Please note that the Auth role for Cognito has access to iot:* for all resources in my account already.

Here's the code that works fine (using my admin access credentials):

AmazonIotDataConfig amazonIotDataConfig = new AmazonIotDataConfig();
amazonIotDataConfig.RegionEndpoint = Amazon.RegionEndpoint.USEast1;
amazonIotDataConfig.UseHttp = false;
amazonIotDataConfig.SignatureVersion = "4";
amazonIotDataConfig.ServiceURL = amazonIotDataConfig.DetermineServiceURL();

AmazonIotDataClient amazonIotDataClient = new AmazonIotDataClient(<ACCESS_KEY_ID>, <SECRET_ACCESS_KEY>, <ACCESS_TOKEN>, amazonIotDataConfig);

string jsonString = "{ \"MotorOn\" : true, \"PumpOn\" : false, \"EmergencyStop\" : false}";
MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(jsonString ?? string.Empty));

PublishRequest publishRequest = new PublishRequest();
publishRequest.Qos = 0;
publishRequest.Payload = memStream;
publishRequest.Topic = "PLC/DEMO";

await amazonIotDataClient.PublishAsync(publishRequest);

And here's the code that I'm trying to make work (using Cognito user credentials):

const string IdentityPool = ""; //insert Identity Pool ID, found when you click Edit Identity Pool
const string AppClientID = ""; //insert App client ID, found under App Client Settings
const string userPoolId = ""; //insert your Cognito User Pool ID, found under General Settings
private AmazonCognitoIdentityProviderClient _provider;
_provider = new AmazonCognitoIdentityProviderClient(new Amazon.Runtime.AnonymousAWSCredentials(), Region);
private CognitoAWSCredentials _cognitoAWSCredentials;

public async Task<bool> Login(string email, string password)
{
    CognitoUserPool userPool = new CognitoUserPool(userPoolId, AppClientID, _provider);
    CognitoUser user = new CognitoUser(email, AppClientID, userPool, _provider);

    InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
    {
        Password = password
    };

    try
    {
        AuthFlowResponse authFlowResponse = await user.StartWithSrpAuthAsync(authRequest).ConfigureAwait(false);

        // This how you get credentials to use for accessing other services.
        // This IdentityPool is your Authorization, so if you tried to access using an
        // IdentityPool that didn't have the policy to access your target AWS service, it would fail.
        _cognitoAWSCredentials = user.GetCognitoAWSCredentials(IdentityPool, Region);

        return true;
    }
    catch (Exception e)
    {
        Debug.Log("Login failed, exception: " + e);
        return false;
    }
}
 
AmazonIotDataConfig amazonIotDataConfig = new AmazonIotDataConfig();
amazonIotDataConfig.RegionEndpoint = Amazon.RegionEndpoint.USEast1;
amazonIotDataConfig.UseHttp = false;
amazonIotDataConfig.SignatureVersion = "4";
amazonIotDataConfig.ServiceURL = amazonIotDataConfig.DetermineServiceURL();

AmazonIotDataClient amazonIotDataClient = new AmazonIotDataClient(_cognitoAWSCredentials, amazonIotDataConfig);

string jsonString = "{ \"MotorOn\" : true, \"PumpOn\" : false, \"EmergencyStop\" : false}";
MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(jsonString ?? string.Empty));

PublishRequest publishRequest = new PublishRequest();
publishRequest.Qos = 0;
publishRequest.Payload = memStream;
publishRequest.Topic = "PLC/DEMO";

await amazonIotDataClient.PublishAsync(publishRequest);

All I get is an error message:
HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown.
Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync (System.Threading.CancellationToken cancellationToken) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.HttpHandler1[TRequestContent].InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0) Amazon.Runtime.Internal.Unmarshaller.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0) Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0) Rethrow as AmazonIotDataException: Forbidden Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionStream (Amazon.Runtime.IRequestContext requestContext, Amazon.Runtime.Internal.Transform.IWebResponseData httpErrorResponse, Amazon.Runtime.Internal.HttpErrorResponseException exception, System.IO.Stream responseStream) (at <4fd24cad161649c1938dc3d09eade6ff>:0) Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionAsync (Amazon.Runtime.IExecutionContext executionContext, Amazon.Runtime.Internal.HttpErrorResponseException exception) (at <4fd24cad161649c1938dc3d09eade6ff>:0) Amazon.Runtime.Internal.ExceptionHandler1[T].HandleAsync (Amazon.Runtime.IExecutionContext executionContext, System.Exception exception) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.ErrorHandler.ProcessExceptionAsync (Amazon.Runtime.IExecutionContext executionContext, System.Exception exception) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.Signer.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T] (Amazon.Runtime.IExecutionContext executionContext) (at <4fd24cad161649c1938dc3d09eade6ff>:0)
Buttons.onPublishClicked () (at Assets/Scripts/Buttons.cs:99)
System.Runtime.CompilerServices.AsyncMethodBuilderCore+<>c.b__7_0 (System.Object state) (at :0)
UnityEngine.UnitySynchronizationContext+WorkRequest.Invoke () (at /home/bokken/build/output/unity/unity/Runtime/Export/Scripting/UnitySynchronizationContext.cs:153)
UnityEngine.UnitySynchronizationContext.Exec () (at /home/bokken/build/output/unity/unity/Runtime/Export/Scripting/UnitySynchronizationContext.cs:83)
UnityEngine.UnitySynchronizationContext.ExecuteTasks () (at /home/bokken/build/output/unity/unity/Runtime/Export/Scripting/UnitySynchronizationContext.cs:107)

[ashishdhingra]

@Vijay-Karthick Have you tried referencing IAM roles and Role-based access control? Does the role that authenticated users assume have sufficient permissions?

Thanks,
Ashish

[Vijay-Karthick]

Hi Ashish,

I figured out the root cause. For IoT specifically, Cognito identities will need to be given permissions (RBAC) via IoT Policies.
Solution:

1. Create your thing
2. Create a policy with the required iot permissions. I used iot:publish to the required topics and iot:connect to the above thing.
3. Use AWS CLI to attach the above policy with the Cognito Identity principal, using:
   aws iot attach-principal-policy --principal --policy-name "" --region
4. You should now see the cognito identity IDs listed under targets of the above created policy, along with your thing certificate - that was also created above

Kind regards,
Vijay

[Vijay-Karthick]

You can close this case.