Followed tutorial, but can't get raspberry pi device-example to connect

Question

Followed tutorial, but can't get raspberry pi device-example to connect

Closed this issue 4 years ago · 6 comments

I followed this tutorial as closely as possible...

https://docs.aws.amazon.com/iot/latest/developerguide/iot-device-sdk-node.html

... but can't get my device to connect. I used the debugging flag but can't make heads or tails about what's going wrong.

At first, I thought "region: undefined" was a problem but apparently you don't need to (can't?) specify a region when you're using an "-H endpoint" parameter.

Cert is activated. Policy is permissive and I've tried several versions. :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*.",
      "Resource": "*"
    }
  ]
}

None work. I'm truly stumped. Can anyone make heads or tails of this output? Any help would be greatly appreciated.

Note: I did this successfully months ago so I'm not a total noob. Just can't figure it out this time.

pi@sessionmaster:~/aws-iot-device-sdk-js/examples $ node -v
v12.18.3

pi@sessionmaster:~/aws-iot-device-sdk-js/examples $ node device-example -k "../certs/private.pem.key" -c "../certs/device.pem.crt" -i "client-id-1" -a "../certs/Amazon-root-CA-1.pem" -H "myendpoint-ats.iot.us-east-1.amazonaws.com" -p 8883 -T "sessionmasterCyrus" --test-mode 1 -D
{
keyPath: '../certs/private.pem.key',
certPath: '../certs/device.pem.crt',
caPath: '../certs/Amazon-root-CA-1.pem',
clientId: 'client-id-1',
region: undefined,
baseReconnectTimeMs: 4000,
keepalive: 300,
protocol: 'mqtts',
port: 8883,
host: 'a1r6g5ofj8uwrj-ats.iot.us-east-1.amazonaws.com',
debug: true,
username: '?SDK=JavaScript&Version=2.2.6',
reconnectPeriod: 4000,
fastDisconnectDetection: true,
resubscribe: false,
key: <Buffer 2d 2d ---snip --- ... 1629 more bytes>,
cert: <Buffer 2d 2d ---snip --- 6e ... 1170 more bytes>,
ca: <Buffer 2d ---snip --- 6d ... 1138 more bytes>,
requestCert: true,
rejectUnauthorized: true
}
attempting new mqtt connection...
offline
connection lost - will attempt reconnection in 4 seconds...
close
reconnect
connection lost - will attempt reconnection in 8 seconds...
close

Answer 1 · 2020-07-23T17:51:23.000Z

Your AWS Policy looks incorrect for both actions and resources. What is your IoT Policy attached to your certificates?

…

On Thu, Jul 23, 2020 at 10:30 AM Cyrus ***@***.***> wrote: I followed this tutorial as closely as possible... https://docs.aws.amazon.com/iot/latest/developerguide/iot-device-sdk-node.html ... but can't get my device to connect. I used the debugging flag but can't make heads or tails about what's going wrong. At first, I thought "region: undefined" was a problem but apparently you don't need to (can't?) specify a region when you're using an "-H endpoint" parameter. Cert is activated. Policy is permissive and I've tried several versions. : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot: *.", "Resource": "*" } ] } None work. I'm truly stumped. Can anyone make heads or tails of this output? Any help would be greatly appreciated. Note: I did this successfully months ago so I'm not a total noob. Just can't figure it out this time. ------------------------------ ***@***.***:~/aws-iot-device-sdk-js/examples $ node -v v12.18.3 ***@***.***:~/aws-iot-device-sdk-js/examples $ node device-example -k "../certs/private.pem.key" -c "../certs/device.pem.crt" -i "client-id-1" -a "../certs/Amazon-root-CA-1.pem" -H " myendpoint-ats.iot.us-east-1.amazonaws.com" -p 8883 -T "sessionmasterCyrus" --test-mode 1 -D { keyPath: '../certs/private.pem.key', certPath: '../certs/device.pem.crt', caPath: '../certs/Amazon-root-CA-1.pem', clientId: 'client-id-1', region: undefined, baseReconnectTimeMs: 4000, keepalive: 300, protocol: 'mqtts', port: 8883, host: 'a1r6g5ofj8uwrj-ats.iot.us-east-1.amazonaws.com', debug: true, username: '?SDK=JavaScript&Version=2.2.6', reconnectPeriod: 4000, fastDisconnectDetection: true, resubscribe: false, key: <Buffer 2d 2d ---snip --- ... 1629 more bytes>, cert: <Buffer 2d 2d ---snip --- 6e ... 1170 more bytes>, ca: <Buffer 2d ---snip --- 6d ... 1138 more bytes>, requestCert: true, rejectUnauthorized: true } attempting new mqtt connection... offline connection lost - will attempt reconnection in 4 seconds... close reconnect connection lost - will attempt reconnection in 8 seconds... close — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#339>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD4KXRFCDFI4QZH3PIBVMBTR5BXSRANCNFSM4PF6IMRA> .

Answer 2 · 2020-07-23T19:07:26.000Z

Thanks. I finally got it working with the (very overly) permissive policy doc below. I can whittle it down from there.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Answer 3 · 2020-07-23T19:11:58.000Z

Iot:Publish permission for prototyping is usually enough but not much harm in all access

…

Sent from my iPhone

On Jul 23, 2020, at 12:07 PM, Cyrus ***@***.***> wrote: Thanks. I finally got it working with the (very overly) permissive policy doc below. I can whittle it down from there. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": [ "*" ] } ] } — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 4 · 2020-07-23T19:16:33.000Z

Not much harm? Wouldn't that policy allow the device to publish to any topic? Could be used by a bad actor to flood or search for other devices, right? Am I misunderstanding how that works?

Answer 5 · 2020-07-23T20:05:43.000Z

First of all the policy’s are attached to the specific certificate bundle you allocated. Secondly you would have to explicitly declare and topics to be accepted by the AWS MQTT broker. Third I’m not sure how unauthorized publish permission is going to expose your other devices unless you have a way to access their things shadow accepted/get. Renegade unauthorized payload Are about a dollar per million? Anyway if you’re worried then yes restrict your policy further

…

Sent from my iPhone

On Jul 23, 2020, at 12:16 PM, Cyrus ***@***.***> wrote: Not much harm? Wouldn't that policy allow the device to publish to any topic? Could be used by a bad actor to flood or search for other devices, right? Am I misunderstanding how that works? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 6 · 2020-09-10T17:19:45.000Z

@cyrusadkisson if you are still looking to limit your policy permissions take a look at the policies and permissions docs for more info.