Amplify-js: PubSub Websocket: "AMQJS0008I Socket closed." when trying to subscribe

Having the same problem, and it seems like all the solutions on all other forums are not working here. Can say I'm seeing the exact same issue (except using Ionic instead of React)

I just want to say I'm having the exact same issue. Or at least the symptoms appear the same to me.

All of my testing is on localhost:3000 if that matters - this is using React.

@mbonig actually helped me a bit on gitter as I believe he resolved the issue he was having and I believe his recommendation was to use the specific Cognito identity ID (rather than the aws_cognito_identity_pool_id from the aws-exports.js file) but I've added both and get the same results.

My policy looks like

(ARN is arn:aws:iot:us-west-2:XXXXXX:policy/webIoT)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "arn:aws:iot:us-west-2:XXXXXXXX/*"
    }
  ]
}

I used both the depreciated aws iot attach-principal-policy.... (docs should be updated) as well as the correct aws iot attach-policy... but no difference. I'm fairly certain the policy is attached correct though, because when I list out the targets attached to the policy I created both the targets that come back match what I set (one of them is the identity pool id, one of them is the specific cognito user from Auth.currentCredentials()...)

aws iot list-targets-for-policy --policy-name 'webIoT' --profile amplify-fdk92-test
{
    "targets": [
        "xxxx:us-west-2:zzzzzz",
        "yyyy:us-west-2:aaaaa"
    ]
}

My actual "app" (App.js, starting from a simple starter React project) looks like this (I didn't make this pretty, sorry!):

import Amplify, { Auth, PubSub, Logger } from "aws-amplify";
import { AWSIoTProvider } from "@aws-amplify/pubsub/lib/Providers";
import config from "./config";
import { withAuthenticator } from "aws-amplify-react"; // or 'aws-amplify-react-native';
// import { withOAuth } from "aws-amplify-react";
import React, { Component } from "react";
import {
  BrowserRouter as Router,
  Route,
  Link,
  Redirect
} from "react-router-dom";
import "./App.css";

Amplify.Logger.LOG_LEVEL = "DEBUG";

Amplify.configure(config);

//This doesn't really do anything here, but the cognitoIdentityId was used for attaching the policy
Auth.currentCredentials().then(info => {
  const cognitoIdentityId = info._identityId;
  console.log("cognito identity id", cognitoIdentityId);
});

Amplify.addPluggable(
  new AWSIoTProvider({
    aws_pubsub_region: "us-west-2",
    aws_pubsub_endpoint:
      "wss://XXXX.iot.us-west-2.amazonaws.com/mqtt"
  })
);

//Only reason I'm waiting here is just as a sanity check that there isn't a race condition I'm missing with how auth works
setTimeout(() => {
  PubSub.publish("topic/test", {
    msg: "Hello to all subscribers!"
  }).then(data => {
    console.log("data is ", data);
    data[0].then(blah => console.log(blah)).catch(blah => console.log(blah));
  });
}, 5000);

And finally, the actual output from when the timeout above fires and the publish happens:

ConsoleLogger.js:97 [DEBUG] 01:10.137 Credentials - getting credentials
ConsoleLogger.js:97 [DEBUG] 01:10.138 Credentials - picking up credentials
ConsoleLogger.js:97 [DEBUG] 01:10.139 Credentials - getting new cred promise
ConsoleLogger.js:97 [DEBUG] 01:10.139 Credentials - checking if credentials exists and not expired
ConsoleLogger.js:107 [DEBUG] 01:10.140 Credentials - is this credentials expired? CognitoIdentityCredentials {expired: false, expireTime: Tue Apr 09 2019 19:01:05 GMT+0900 (Japan Standard Time), accessKeyId: "XXXXXXX", sessionToken: "XXXXXX//////////XXXXXXX…ph/XXXXXXX/XXXXXXX/XXXXXXXX=", params: {…}, …}
ConsoleLogger.js:97 [DEBUG] 01:10.140 Credentials - credentials not changed and not expired, directly return
App.js:38 data is  [Promise]
ConsoleLogger.js:99 [DEBUG] 01:10.144 Signer {region: "us-west-2", service: "iotdevicegateway"}
ConsoleLogger.js:107 [DEBUG] 01:10.146 MqttOverWSProvider - Creating new MQTT client 2fa6b4a0-f880-4544-869a-XXXXXXXXX
App.js:39 {invocationContext: undefined, errorCode: 8, errorMessage: "AMQJS0008I Socket closed."}

_edit: I get the exact same behavior if I try to subscribe to a topic instead of publish._

I'm not sure if my exmaple code above matches the AWS Amplify docs for PubSub 1:1, however I started with the PubSub docs and had this same issue. Then I went on from there and googled a bunch and found a number of people with the same issue(s), a number of different solutions, but none of them seemed to work from me.

It's possible that I am simply not using a valid topic name (?), or something stupid, I'm really at the early stages of understanding a lot of this. Regardless, from what I can tell something might be missing from the docs, even if that something is just a more complete "for dummies" example.

I was able to resolve this error by attaching the AWSIoTDataAccess policy to the Cognito AuthRole

Had the same error, changing IOT Core policy solved the problem for me:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      (NOT WORKS) "Resource": "arn:aws:iot:us-west-2:XXXXXXXX/*"
      (WORKS) "Resource": "*"
    }
  ]
}

My guess is that previous policy gave permission to subscribe/publish to topics, but didn't gave the permission to connect. Amplify JS PubSub docs can be improved IMHO.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Had the same error, changing IOT Core policy solved the problem for me:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      (NOT WORKS) "Resource": "arn:aws:iot:us-west-2:XXXXXXXX/*"
      (WORKS) "Resource": "*"
    }
  ]
}

My guess is that previous policy gave permission to subscribe/publish to topics, but didn't gave the permission to connect. Amplify JS PubSub docs can be improved IMHO.

This solution should only be relevant in explaining the underlying issue. Please do not put * for resource identifiers. This is a massive security hole and goes against all best practices with IAM policies.

I also had the same error and was only able to resolve it by changing the policy to "Resource": "*". Wondering if there are any better practices.

Just literally did a brute force search over different specifications of "Resource", and below are my findings.

The ones that worked:

      "Resource": [
        "*"
      ]

      "Resource": [
        "arn:aws:iot:[region]:[AWS account ID]:*"
      ]

      "Resource": [
        "arn:aws:iot:[region]:[AWS account ID]:topic/*",
        "arn:aws:iot:[region]:[AWS account ID]:topicfilter/*",
        "arn:aws:iot:[region]:[AWS account ID]:client/*"
      ]

The ones that did not work:

      "Resource": [
        "arn:aws:iot:[region]:[AWS account ID]:topic/*"
      ]

      "Resource": [
        "arn:aws:iot:[region]:[AWS account ID]:topic/*",
        "arn:aws:iot:[region]:[AWS account ID]:client/*"
      ]

I referred to this doc when iterating over available resources.
So my guess is we simply need to add a bit more resource for subscribing if necessary.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

Hello, I still have this issue.
The IoT Policy is well attached, I tried to put the Resource to "*" for the Iot Policy. I also tried to attach the identity_id from the aws-exports.js file. But it still don't work.
I tried to redo the procedure from scratch, it stills don't work.

I have the same issue. I have attached policy by following the amplify pubsub document. Anyone has some example?