Pub/Sub entering ConnectionDisrupted state, no errors

[Nikola-Milovic]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

PubSub

Amplify Categories

auth

Environment information

 System:
    OS: Linux 5.15 Ubuntu 20.04.5 LTS (Focal Fossa)
    CPU: (16) x64 AMD Ryzen 7 2700 Eight-Core Processor
    Memory: 17.90 GB / 31.30 GB
    Container: Yes
    Shell: 5.0.17 - /usr/bin/bash
  Binaries:
    Node: 18.14.2 - ~/.nvm/versions/node/v18.14.2/bin/node
    Yarn: 1.22.19 - /usr/bin/yarn
    npm: 9.5.0 - ~/.nvm/versions/node/v18.14.2/bin/npm
    Watchman: 2023.03.20.00 - /home/linuxbrew/.linuxbrew/bin/watchman
  Browsers:
    Brave Browser: 107.1.45.118
    Chrome: 107.0.5304.87
    Chromium: 112.0.5615.49
    Firefox: 112.0.1
  npmGlobalPackages:
    corepack: 0.15.3
    npm: 9.5.0
    pnpm: 8.1.1

Describe the bug

When trying to connect to AWS IoT with Amplify and Pub/Sub I am stuck in the ConnectionDisturbed -> Connection loop

[INFO] 43:52.175 Main - Connecting
ConsoleLogger.ts:105 [INFO] 43:52.339 Main - ConnectionDisrupted
ConsoleLogger.ts:105 [INFO] 44:52.174 Main - Connecting
ConsoleLogger.ts:105 [INFO] 44:52.350 Main - ConnectionDisrupted
ConsoleLogger.ts:105 [INFO] 45:52.174 Main - Connecting
ConsoleLogger.ts:105 [INFO] 45:52.345 Main - ConnectionDisrupted

Expected behavior

It should be in connected state and stay in it

Reproduction steps

Have my CDK configuration with my amplify.ts file

Code Snippet

My setup is as follows

amplify.ts file that I import in the entrypoint to my app

Logger.LOG_LEVEL = 'DEBUG' ;

try {
	const cancel = Hub.listen('pubsub', (data: any) => {
		 console.log('PubSub', data) 
	});

	Amplify.configure({
		Auth: {
			region: env.AWS_REGION,
			userPoolId: env.AWS_COGNITO_USER_POOL_ID,
			userPoolWebClientId: env.AWS_COGNITO_ADMIN_USER_POOL_CLIENT_ID,
			identityPoolId: env.AWS_COGNITO_IDENTITY_POOL_ID,
			identityPoolRegion: env.AWS_REGION,
			mandatorySignIn: true
		},
        }


	Amplify.addPluggable(
		new AWSIoTProvider({
			aws_pubsub_region: env.AWS_REGION,
			aws_pubsub_endpoint: `wss://${env.AWS_IOT_ENDPOINT}/mqtt`,
		})
	);
} catch (error) {
	console.error("error occured during amplify setup", error);
}

All of my env variables are correct, I also have geo setup, and its working.

The endpoint also matches the one in IoT Core -> Settings.

This is my endpoint wss://a3ri7xxxxxxxxx-ats.iot.eu-central-1.amazonaws.com/mqtt

I receive no errors other than the connection being disrupted. If I try to publish I get [undefined] back without any errors.

---

I am not using the CLI but my own CDK and I have this

		const iotPolicy = new iam.Policy(this, `iot-amplify-policy`, {
			statements: [
				new iam.PolicyStatement({
					effect: iam.Effect.ALLOW,
					actions: ['iot:*'],
					resources: [`arn:aws:iot:${appConfig.region}:${appConfig.account}:*`],
				}),
			],
		});

		const { authenticatedRole } = props;

		authenticatedRole.attachInlinePolicy(iotPolicy);

		authenticatedRole.addManagedPolicy(
			iam.ManagedPolicy.fromAwsManagedPolicyName('AWSIoTDataAccess')
		);
		authenticatedRole.addManagedPolicy(
			iam.ManagedPolicy.fromAwsManagedPolicyName('AWSIoTConfigAccess')
		);

So my Authenticated users should have access to the IoT.

Log output

// Put your logs below this line

Additional information

There was an issue that mentions something related to access to Pub/Sub IoT but it was closed and not answered #749, doesn't seem to be the issue I am experiencing

Also if I try to connect over plain MQTT instead of websockets or with HTTPS, then I am stuck in Connecting state.

Not sure how to debug without any error logs, not sure what could cause such behaviour.

My only guess is that I am misunderstanding roles and users and that the Policy I gave to my authenticated users is in fact not doing what I expect it to. As in the docs its stated

The next step is attaching the policy to your Cognito Identity.

While I am not attaching it to Cognito Identity.

[Nikola-Milovic]

Identity had to have the policy and not the authenticated user. This fixed the issue

Edit: I'll leave this open as a question on how to grant access to authenticated users without having to have a separate endpoint to handle adding the policy for identity. Maintainers please close this, I'll leave it open for visibility. As #749 left unanswered and I couldn't find the answer anywhere. If there is no way around it, any tips on how to implement it? As identities are temporary, how should I approach expiration and such

[Julz-afk]

Hi @Nikola-Milovic, did you get this issue resolved on your side?
I am experiencing similar issue.

[Nikola-Milovic]

The comment I made is the fix, basically you need the policy on the identity itself. But I have no way of easily automating this, nor do I have an idea on why my setup with Authenticated role wasn't working.

[Julz-afk]

@Nikola-Milovic, Are you referring to the identity ID of the user or the Identity pool ID?

[Nikola-Milovic]

@Julz-afk Identity of the authenticated user, I think attaching it to Identity Pool doesn't work. You can try and please let me know

[Julz-afk]

Yeah I have tried using the Auth user ID and also the pool ID, both not working on my side, still getting this error: connecting then connection disrupted. Then this error pops up: MqttOverWSProvider - Error forming connection Error: AMQJS0011E

[Nikola-Milovic]

@Julz-afk follow the guide in their docs, if you attach the policy manually it works

[Julz-afk]

Got it up and running on my side, think I missed a step somewhere with the policy and identity stuff.

[mikey0000]

Also in nodejs applications WebSockets is missing as in never imported and is expected on the global.

[mufarrah]

@Julz-afk Identity of the authenticated user, I think attaching it to Identity Pool doesn't work. You can try and please let me know

Thanks , that helped, you are right

[LorisNanchen]

Where can I find that Identity Id ? I'm facing the same issue and nothing seems to fix it. Maybe I didn't understand the Policies and Identities.

Btw I'm using NextJs, don't know if it's supposed to work with it.

[waedg]

I confirm, in my case i didn't created and added the policy to the user after authentification , i recommand reading this section of amplify documentation and understand it very well :
[https://docs.amplify.aws/javascript/build-a-backend/more-features/pubsub/set-up-pubsub/]
thank you @Nikola-Milovic for the hint.

[haverchuck]

Is this issue happening on version 5 only?