Closed prestomation closed 4 years ago
Hi @prestomation,
From the sample code in the developer guide you linked to, signed websocket URLs shouldn't include any headers but should instead hoist everything that would normally be a header to the query string. That's pretty close in spirit to the way the SDK's S3 and Polly presigners work, but different enough that I think we would need a custom signer.
I'm running on Lambda and doing just what you want to do I think:
var v4 = require('aws-signature-v4');
function signEndpointUrlAwsV4(endpointAddress) {
var signedUrl = v4.createPresignedURL(
'GET',
endpointAddress,
'/mqtt',
'iotdevicegateway',
signatureV4Hash,
{
key: process.env.AWS_ACCESS_KEY_ID,
secret: process.env.AWS_SECRET_ACCESS_KEY,
region: process.env.AWS_REGION,
protocol: 'wss',
expires: WSS_URL_EXPIRY_SECONDS
}
);
return signedUrl + '&X-Amz-Security-Token=' + encodeURIComponent(process.env.AWS_SESSION_TOKEN);
};
Err, yes, in the query parameters of course.
Thanks @carlnordenfelt, makes sense. I just wish this sort of interface was more cleanly available in the SDK so I don't need to have multiple copies of the signing code. I hacked something together using the SDK, it's pretty ugly though! https://gist.github.com/prestomation/b0f15b4492146a64b9deffaf7ef011eb#file-iot_presign-js
Also see this AWS SDK extension: https://gist.github.com/rianwouters/17605cdb84a28ab59c89f2a46a7a36be
Closing this issue, please open it at https://github.com/aws/aws-iot-device-sdk-js-v2/issues.
Hi,
I set out with the intention of submitting a simple PR to allow simple presigning of a IoT websocket url. Using the sample code in the IoT docs is..not something I want to continue to do :) http://docs.aws.amazon.com/iot/latest/developerguide/protocols.html#mqtt-ws
Problem is, the JS sdk always signs the x-Amz-Security-Token header, but AWS IoT does NOT accept this header if it's signed. CPP SDK also has this issue: https://github.com/aws/aws-sdk-cpp/pull/338
Thanks!