How to connect to IoT using MQTT over websocket with Cognito authenticated users?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome back in this video I'm going to show you how to authenticate to to iot actions using sic for authentication but this time I'm going to use credentials from cometo instead of directly using AWS credentials from I am user so just to recap a bet I had created a video some time back which sees how to connect to a Wi-Fi with mqtt with XE x.509 certificate based authentication so that's one way you can do it the other way you can do is using signature version for authentication that uses AWS credentials now in this video we saw we directly use credentials of the I am user that we created from the I M service and in the AWS console in this video what I'm gonna show us I'm going to use the same cig a double your signature version for authentication but instead of directly using AWS I am credentials from the programmatic user that was created this time I'm going to use the credentials from an identity pool so let me go ahead and explain how this is going to work so first we have an user pool which will have a user in it we will first authenticate using that user to get an ID token next what we will do is we will exchange that ID token with an identity pool which uses the same user pool as the authorization provider and we will basically exchange that ID token to get temporary AWS credentials that will have permissions to do the IOT publish and subscribe and those students shells which will include your secret key or access key and a session token we will use those to connect to IOT and then publish and subscribe so I have already created another video which show shows how you can create identity pool and a user pool and how you can use the temporary credentials so if you do want to check that out you can check out this video which is how to use AWS cognitive service so it's all there on my youtube channel I which is open source for geeks but let me go ahead and quickly show that to you so if you go to let me go to kognito utils so I showed this in the earlier video but I'm just gonna show you one more time so this is going to print three things which is secret key access key and then the session token that we are going to use for signature v for authentication so let's just see that this works fine and again I'm not going to explain you this code if you wish to understand how this is working you can refer to the video that I created just before this so you can see that all three things are created now let's try to understand how sick v4 is going to work with our cognitive credentials so I already mentioned how we are going to get the temporary AWS credentials from the kognito user pool and identity pool and how we are going to use it to configure or connect to IOT but there are a couple of more things that are required to connect to IOT so if you see my video which was around a double-a signature v for authentication I explained this a bit but I will try to explain it one more time now if you directly use AWS credentials from I am user its straightforward as long as your I am policy that corresponds to that I am user allows you to connect to IOT everything works fine but now if you are trying to use Cognito to get ID token from user pool and then exchange it with the identity pool to get temporary AWS conditions you need a couple of things right so first thing is you need those policies in I am policy which which is assigned to the role that corresponds to the authenticated identity of your identity pool right so when you talk about identity pool there are essentially two roles that Craig created one corresponding to the authenticated entities and second corresponding to the unauthenticated entities and obviously it's optional for you to allow unauthenticated login to your identity pool but again if you do provide that it is possible so if you have an authenticated identities allowed then not you you need not worry about anything you just get temporary credentials using the unauthenticated identity and everything works fine right but but however if you have authenticated identities you need a set of steps that you need to follow so first you need to have the corresponding permissions in the ion policy that esker that corresponds to the authenticated role of your identity pool second you need to call AWS attach principle policy to the identity Cognito identity that gets created in your identity pool and the third thing is that when you attach that policy to the identity that policy should have the permission to do the IOT stuff so there are three things that are required let's go ahead and see how it works so before we see that let me go ahead and show you the code so if you see this is the same code that I ran and you can see it uses the same set of logic for SiC V for authentication only changes that it is now also using session token' which it gets from credentials which we get from kognito util so we already ran our stein this standalone Cognito utils and we saw it returns the temporary credentials so if I run this it is going to print the same stuff which is access key secret key and the credentials and then it is trying to connect and this is going to fail okay so we saw that this feel and this is because obviously we have not followed the exact steps like I said we need to have the policies corresponding policies in the authenticated role since we are using authenticated entries in the identity pool second we need to do an attach principle policy and third the policy that we attached to the identity should have that particular permission so let's go back to our console let's go to so let's first go to I am and in fact even before we go there let's go to our cognitive and let's see the identity so let's go to identity pool and let's this is the identity pool which is my identity pool and what I'm gonna do is let's go to identity browser you can see that the identity is already created because we executed Cognito utils and that creates an identity but this identity is not yet associated with the principle policy that we created so let's go back to dashboard and as you know so you can go to edit policy and you can see that it's name is my identity pool so let's go to I am now let's go to rules and here I will search for my identity pool and you can see it has to author all and an auth rule and if you go to your identity again so let me do an edit identity pool again and you can see it has so not unauthenticated identities are currently not checked so unauthenticated identities cannot exchange tokens or use this identity pool to get temporary AWS credentials so we need authenticated identities only so let's go back to this rule so this is the authenticated rule that we are looking for so Chris currently it just has mobile analytics cognitive sync and cognitive identity so we need AWS IOT related policies here so you can edit this to a fine-grained policy but just to save time what I'm going to do is I'm going to attach policy so let's just attach administrator access policy again this is not a good practice and definitely this is something that you should not do in production essentially when you exchange tokens from identity the temporary tokens will have access to do anything right because we are currently giving an administrator access so this is something that you do not want to do in production you need to pro create a custom policy with fine-grained permissions but for now let's just use our administrator access and let's see if that work this works so let's go ahead and try to run this one more time again this is not going to work because we haven't done second step which is attach principal policy but I just want to show you each step so that you understand how it actually works so again this is going to fail there we go so it feel so let's go to our IOT now and we will see that that our identity is not yet attached with the policy that is created so if you go to secure and secure and let's go to certificates let's go to policies so this is the policy and you can see currently it is associated with a single certificate we need another entry here which is nothing but the identity so for that we need to execute a command called attach principal policy so you can you could either do it from the hood for which you have to create an attach principal policy request and then use IOT dot attached principal policy to attach the policy or what you can do is you can attach run this code now to run this code you need to run AWS IOT attach principle policy then you have to define principal now where do you get this principal right so for this you need to have already identity created in I am so if you go to I am sorry not I am if you go to identity you can go to identity browser and you can see that the identity is already created and this is your identity ID so just copy this and once you copy this just paste it here okay and once you paste it the next thing that you need is policy name so this is the policy for which with which you need to associate your principal ID so if you go back to your I Oh T and if you go to policy this is the thing policy this is the name so we are good here so let's go ahead and copy this and execute it from our console or come online again you also need the region where you need to execute if you see this is not Virginia which is US East one so I have provided that and I have multiple profiles configured on my local which is why I'm giving a specific profile which corresponds to this particular account so let me go ahead and open a console and I'm going to run this command and this should run fine and let's see alright so there we go so it worked fine so let's go ahead and refresh this and we should see another entry here which corresponds to the identity so let's go to certificates and there we go you can see it says cognitive identity and it says to see the details of this identity go to Amazon Cognito console which we just did right so when we go to Cognito console and you go to identity browser you can see the identity corresponding to this and in fact if you click on this you should be able to see the link login which is company divided IDP right so now that we have associated identity to cognitive identity with the policy our second step is done now the third step is to make sure your policy has all the permissions now since we have already configured it for our previous demos I'm not going to touch it but essentially it is going to allow thing client one client publish on topic one subscribe on topic one and receive on topic one right and that's exactly what we are doing so we have a client ID called thing client one we have a topic called topic one and stuff like that so hopefully all our setup is now done so let's go ahead and try to run and at this time it should work fine so let's give that a try and okay so it got two currents it got credentials and there we go so it has subscribed and you can see it sees message the received hello world right so just to give you a summary of what we have done so far we created and user in the user pool we authenticated to get ID token and then we use that ID token to exchange with identity pool to get a temporary AWS credentials and those credentials correspond to the the role that you associate with the authenticated entities that we saw in IEM and once you get that you can use those credentials to basically connect to IOT however before you do that you need to make sure you call attach principal policy API so you can either do it using code where you attach the Cognito ID but the principle policy so this is the Cognito identity ID that we got from IM identity pool identity browser and we attach it to the policy coyote policy called think policy and once that is done you should essentially be able to use your authenticated cognitive credentials the temporary credentials that you got to connect to IOT and use it so I hope that cleared a lot of things for you if you use on authenticated entities an identity pool then you do not have to do that you do not need a policy for the authenticated rule you do not need attach principal policy you do not do not need an IOT policy as well right however if you use authenticated entities then you need to follow these three steps in order to connect to IOT and successfully do publish and subscribe on the topics so let me know if you have any questions thank you

Info

Channel: Open Source For Geeks

Views: 3,861

Rating: undefined out of 5

Keywords: AWS, Cognito, MQTT, IoT, user pool, identity pool, websocket, IAM, Role, Policy, Certificate

Id: j2KJVHGHaFc

Channel Id: undefined

Length: 13min 52sec (832 seconds)

Published: Sat Mar 02 2019