AWS设备自定义身份认证需要通过lambda服务实现，具体来说，首先需要创建一个lambda函数，在函数中实现具体的认证逻辑，然后Iot在调用授权方时，将触发lambda函数，返回认证结果。

1.输入参数说明

授权方在调用lambda函数时，将传递相关的参数信息，具体内容如下所示：

{"token" :"aToken","signatureVerified": Boolean, // Indicates whether the device gateway has validated the signature."protocols": ["tls", "http", "mqtt"], // Indicates which protocols to expect for the request."protocolData": {"tls" : {"serverName": "serverName" // The server name indication (SNI) host_name string.},"http": {"headers": {"#{name}": "#{value}"},"queryString": "?#{name}=#{value}"},"mqtt": {"username": "myUserName","password": "myPassword", // A base64-encoded string."clientId": "myClientId" // Included in the event only when the device sends the value.}},"connectionMetadata": {"id": UUID // The connection ID. You can use this for logging.},
}

2.创建lambda函数

操作地址：函数 – Lambda (amazonaws.cn)

编写函数逻辑：

如果检测到用户密码为test，则认证通过，并附加允许策略，其他情况，则附加拒绝策略。

console.log('Loading function');exports.handler = function(event, context, callback) { var uname = event.protocolData.mqtt.username;var pwd = event.protocolData.mqtt.password;var buff = Buffer.from(pwd, 'base64');var passwd = buff.toString('ascii');console.log(passwd);switch (passwd) { case 'test': callback(null, generateAuthResponse(passwd, 'Allow')); default: callback(null, generateAuthResponse(passwd, 'Deny'));  }
};// Helper function to generate the authorization response.
var generateAuthResponse = function(token, effect) { console.log(effect);var authResponse = {}; authResponse.isAuthenticated = true; authResponse.principalId = 'TEST123'; var policyDocument = {}; policyDocument.Version = '2012-10-17'; policyDocument.Statement = []; var publishStatement = {}; var connectStatement = {};connectStatement.Action = ["iot:Connect"];connectStatement.Effect = effect;connectStatement.Resource = ["arn:aws:iot:cn-northwest-1:xxxxxx:client/*"];publishStatement.Action = ["iot:Publish"]; publishStatement.Effect = effect; publishStatement.Resource = ["arn:aws:iot:cn-northwest-1:xxxxxx:topic/test/battery"]; policyDocument.Statement[0] = connectStatement;policyDocument.Statement[1] = publishStatement; authResponse.policyDocuments = [policyDocument]; authResponse.disconnectAfterInSeconds = 3600; authResponse.refreshAfterInSeconds = 300;return authResponse; 
}

3.创建授权方

通过aws cli命令行工具创建授权方，或者在Iot Core控制台直接创建授权方，

aws iot create-authorizer --authorizer-name TestAuthorizer --authorizer-function-arn arn:aws-cn:lambda:cn-northwest-1:xxxxxx:function:AceAuthorizor --status ACTIVE --signing-disabled

4.授权方添加权限

通过aws cli命令行的方式给授权方添加调用lambda的权限，

aws lambda add-permission --function-name TestAuthorizer --principal iot.amazonaws.com --source-arn arn:aws-cn:iot:cn-northwest-1:xxxxxx:authorizer/TestAuthorizer --statement-id Id-124 --action "lambda:InvokeFunction"

5.测试授权方

通过aws cli测试授权方调用lambda是否成功

aws iot test-invoke-authorizer --authorizer-name TestAuthorizer --mqtt-context "username=xxxxx,password=dGVzdA==,clientId=demo1"
密码正确，则返回授权的策略内容，如下图所示

6.总结

这里要注意aws cli 的配置，我这里最开始用IAM Role方式配置命令行，

刚开始一直报权限问题，后来直接换成用户凭证的方式配置，

 报错“An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws-cn:iam::xxxxxx:user/test is not authorized to perform: sts:AssumeRole on resource: arn:aws-cn:iam::xxxxxx:role/JITP”，后来在目录“C:\Users\用户\.aws”下config文件去掉role_arn，问题才解决。

另外，要注意给授权放添加调用lambda的权限，否则测试一直报错"An error occurred (InvalidResponseException) when calling the TestInvokeAuthorizer operation: AccessDeniedException encountered when invoking lambda; requestId: 53bc3fb4-80d2-4f89-ac98-4d529444ee48"