I am working on an embedded device which is already able to communicate via MQTT with AWS and Azure for several years.
Now our customers want to be able to use MQTT with Google IoT Cloud as well.
I thought it would be nothing complicated, but I found that I have to generate a JWT token every 24 hours, which is quite heavy for an embedded device (especially a low power one) to handle, to generate a token via the RS256 algorithm, it takes 10 seconds, and with ES256 it takes 6 seconds, with an 80 MHz ARM Cortex-M4.
So I'm looking for a way to avoid having to generate this JWT token, I found in the documentation that Google supports MQTT gateways, but that means we have to keep a gateway server somewhere in the network, which is not very competitive considering what offer AWS and Azure.
Is there a way to avoid having to generate a JWT token (without having to manage an MQTT gateway)?
Or is there someone who offers an MQTT-Gateway service (also for a fee)?
Why did Google decide to use this JWT token as authentication? Wouldn't it have been easier to do as AWS and Azure did?
No, as per the current implementation, JWT tokens and MQTT gateway using the Association only authentication method are the only ways to authenticate to Cloud IoT Core.
Related
we use Aws Api Gateway to protect our apis.
We want to create an sdk for developers. The idea is to have In app purchase in their apps and call our apis in order to start payment.
We are trying to have a way to connect machine from machine. The first machine will be an sdk integrated in Android games and the second will be our back end protected by the api gateway.
The sdk should have a the authorization to consume the api.
Today we don't know how to do it, even after discussing with many architects.
The sdk is not going to have user and password, because it is not a user, so no way to generate the classic access token.
How could we achieve this use case ?
Thanks
The sdk should have a the authorization to consume the api. Today we don't know how to do it, even after discussing with many architects.
There are three possible ways to have a protected API Gateway. AWS Cognito and AWS Lambda. The third option, API Keys, is a little bit different than the previous two.
With Cognito, you create user pools and API Gateway automatically handles authorization when a request is received.
With Lambda, you create your own custom authorization logic.
I generally prefer the Lambda approach due to the ease of use but it depends on the use-case.
With the API Key option, you create API Keys for specific routes and API Gateway checks them through the request headers. I think any use-case that requires this can be handled with the Lambda option as well.
What you are describing doesn't sound difficult to achieve.
You will generate an API key and you will give them to the developers that will use your API.
In your SDK, you can accept the API key as an initialization parameter and provide it in the requests to API Gateway.
This apparently is so simple question but I have been trying hard and came accross many questions and articles but none of them really answers this.
There are many ways to design the architecture after the log is ingested and transferred to AWS. We can use ES, Kinesis and other services.
My problem is how to transfer the application client logs to AWS securly, anywhere, could be S3, Lambda, Kindesis, ElasticSearch. We can surely have an endpoint exposed but that will be open. How to authenticate this to make sure malicious users don't spam our logs? what is the best way to ingest and transfer logs to AWS from mobile applicatios?
Creat an API that collect logs and ingest to kinesis expose it with API gateway use API keys aur authentication API to generate bearer token.
In application create functionality that make API call.
We did this in one of our application successfully
One way is to use Amplify SDK on the client application to log
securely.
Have a look at this link:
https://medium.com/swlh/add-monitoring-to-your-amplify-app-by-using-amplify-framework-d4c43b2bb84b
I have an IOT device that is not able to generate JWT token. For authenticating with Google IOT core, we need to create jwt token with expiry time. Is there any way to create a static authentication, like username and password as fixed, as it is for local mqtt broker (mosquitto) ?
I think your only solution is to add a proxy IoT client that is able to generate JWTs.
Your devices will message the proxy using whatever mechanism and security you want and the proxy would manage JWTs when communicating with IoT core.
See gateways
Here is my use case:
Static react frontend hosted on s3
Python backend on lambda conduction long running data analysis
Postgres database on rds
Backend and frontend communicate exclusively with JSON
Occasionally backend creates and stores powerpoint files in s3 bucket and then serves them up by sending s3 link to frontend
Convince me that it is worthwhile going through all the headaches of setting up API gateway to connect the frontend and backend rather than invoking lambda directly from the frontend!
Especially given the 29s timeout which is not long enough for my app meaning I need to implement asynchronous processing and add a whole other layer of aws architecture (messaging, queuing and polling with SNS and SQS) which increases cost, time and potential for problems. I understand there are some security concerns, is there no way to securely invoke a lambda function?
You are talking about invoking a lambda directly from JavaScript running on a client machine.
I believe the only way to do that would be embedding the AWS SDK for JavaScript in your react frontend. See:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/browser-invoke-lambda-function-example.html
There are several security concerns with this, only some of which can be mitigated.
First off, you will need to hardcode AWS credentials in to your frontend for the world to see. The access those credentials have can be limited in scope, but be very careful to get this right, or otherwise you'll be paying for someone's cryptomining operation.
Assuming you only want certain people to upload files to a storage service you are paying for, you will need some form of authentication and authorisation. API Gateway doesn't really do authentication, but it can do authorisation, albeit by connecting to other AWS services like Cognito or Lambda (custom authorizers). You'll have to build this into your backend Lambda yourself. Absolutely doable and probably not much more effort than using a custom authorizer from the API Gateway.
The main issue with connecting to Lambda direct is that Lambda has the ability to scale rapidly, which can be an issue if someone tries to hit you with a denial of service attack. Lambda is cheap, but running 1000 concurrent instances 24 hours a day is going to add up.
API Gateway allows you rate limit per second/minute/hour/etc., Lambda only allows you to limit the number of concurrent instances at any given time. So if you were to set that limit at 1, an attacker could cause that 1 instance to run for 24 hours a day.
I'd like to run some stateless Java services on the Bitnami stack on AWS that will be consumed by apps... and of course to access these I'd need some type of authentication and authorization.
Previously with this type of architecture I've chucked an API gateway in front of them, to which the developer would subscribe. And AWS provides an API gateway, nice.
HOWEVER, while reading up on how to set this up on AWS I came across 'AWS Cognito' which is supposedly designed specifically for this same purpose.
So my question is are these two solutions comparable - are they doing the same thing?
And if-so, then what are the pros and cons of each, when would choose one over the other?
Basically because you are targeting the user level you should use Cognito; as it does provide you with authentication, reseting passwords for the user, and of course
signing up workflow. Moreover it provides user information to the admin, as well as two factor authentication, by using the user's mobile phone.
If you want to authorize the application to use an api then you use the API Gateaway.
The Cognito, is designed for user interaction it has an api for Java, JavaScript, iOS, and Android, so you can
implement the interaction with it at any level; as you wish. You also not getting changed if your user base is less than 50k.