Register aws iot device using cognito credentials

Question

I am working on a app where I need to track the changes of some devices and show those in the frontend.

For the user login I'm using cognito and I'm getting the credential after login and I already got valid credential because I connected AWS DynamoDB using the same credential.

Now I want to register a aws.iot device with the same cognito credential.

I'm following https://github.com/aws/aws-iot-device-sdk-js

I checked with some static credential with a aws user like:

client.device = awsIot.device({
    clientId: clientID,
    host: host,
    accessKeyId: AccessKeyId,
    secretKey: secretKey,
    protocol: 'wss'
});

And this works fine.

Then I tried the same using aws cognito assessKeyId and secretKey, but this I time I got 403.

I checked connect to AWS IoT using web socket with Cognito authenticated users, but it didn't help.

My current code is like:

    var awsIot = require('aws-iot-device-sdk');

    AWS.config.credentials.get(() => {
        const IoT = new AWS.Iot();
        IoT.attachPrincipalPolicy({
            policyName: 'PubSub',
            principal: AWS.config.credentials.identityId
        }, (err, res) => {
            if (err) {
            } else {
                let credential;
                if (AWS.config.credentials && AWS.config.credentials.data && AWS.config.credentials.data.Credentials) {
                    let credentials = AWS.config.credentials.data.Credentials;
                    awsIot.device({
                       clientId: clientID,
                       host: host,
                       accessKeyId: credentials.AccessKeyId,
                       secretKey: credentials.secretKey,
                       protocol: 'wss',
                       sessionToken: credentials.SessionToken
                    });
                }
            }
        });
    });

Can anybody please help me, what I'm missing here.

Answer 1

What worked for me was passing in the data from the AWS.config.credentials object directly, i.e.

if (AWS.config.credentials) {
  awsIot.device({
     clientId: clientID,
     host: host,
     accessKeyId: AWS.config.credentials.accessKeyId,
     secretKey: AWS.config.credentials.secretAccessKey,
     protocol: 'wss',
     sessionToken: AWS.config.credentials.sessionToken
  });
}

Perhaps check also that the accessKeyId etc. begin with small letters and not caps, if you are calling via this method.

Answer 2

Finally I got the solution in this case, all I needed to do, is pass empty string as accesskey, secret key and session token while creating the device and then device credential as the device is created.

    AWS.config.credentials.get(() => {
        const IoT = new AWS.Iot();
        IoT.attachPrincipalPolicy({
            policyName: 'PubSub',
            principal: AWS.config.credentials.identityId
        }, (err, res) => {
            if (err) {
            } else {
                let credential;
                if (AWS.config.credentials && AWS.config.credentials.data && AWS.config.credentials.data.Credentials) {
                    let credentials = AWS.config.credentials.data.Credentials;
                    var device = awsIot.device({
                       clientId: clientID,
                       host: host,
                       accessKeyId: '',
                       secretKey: '',
                       protocol: 'wss',
                       sessionToken: ''
                    });
                    device.updateWebSocketCredentials(credentials.AccessKeyId, credentials.SecretKey, credentials.SessionToken, credentials.Expiration);
                }
            }
        });
    });