AWS IoT websocket connection returns a 403

3
votes

I keep receiving a 403 when trying to connect via Websocket to AWS IoT. I have a Cognito federated pool setup, which connects fine and returns credentials. It's after that step when I update the websocket credentials that I start getting 403's.

I've done the following steps:

  1. I've setup IoT and have a certificate and policy setup.
  2. I created a Cognito Federated Identity Pool that allows unauthenticated users.
  3. The unauthenticated role has full access to IoT (policy below)

Here's the unauthenticated role policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "mobileanalytics:PutEvents",
            "cognito-sync:*",
            "iot:*"
        ],
        "Resource": [
            "*"
        ]
    }
]
}

Any ideas? Am I missing a step?

1
javascriptamazon-web-servicesiotamazon-cognito
How are you connecting with WebSockets? AWS IoT Device SDK? Hand crafting SigV4 request? There is a sample AWS IoT over WS via Device SDK (feat. Cognito) project here: github.com/awslabs/aws-iot-examples/pull/2TheRyanBurke_AWS

1 Answers

4
votes

I know this is a bit old, But we had the same issue today, however it only seemed to happen to one companies users. So after a little digging I discovered their computers time were off by about 8 minutes. This was causing the certificate to be expired or invalid. simply changing the computers times to the correct time, or as we did get the difference of the correct time from the server and the local machine and account for the difference when sending the request fixed the issue.