I am working on a project wherein a mobile app (Flutter app) should create a unique identity (IOT thing) of my IOT device machine (on AWS) as soon as the user logins onto the app and also it should establish a connection (and subsequent communications) with the isolated IOT device after its configuration (Somewhat similar to Google Home configuration process).
The process starts with user logging onto the app (using AWS Amplify/Congnito to automatically add the user account in the cloud). Subsequently, the app needs to configure the IOT device (ESP32) and send Wifi credentials of home network by connecting to ESP's WiFi AP. However, since both the app and IOT device are isolated from each other (except during the configuration process), I don't have much idea on how exactly will mobile app connect (creating a unique IOT thing automatically) and communicate with the isolated IOT device over AWS IOT cloud.
I have worked with some of the AWS services like AWS Lambda, DynamoDB, AWS IOT for quite a while, hence I am aware of the basics. One of the possible solutions for the above maybe Fleet Provisioning by a Trusted User feature provided by AWS IOT (I did read it's documentation, but still confused). We can also use ESP32's Bluetooth feature for the app to scan nearby devices with which it needs to connect with, but I am not sure how will the connection establish through AWS cloud.
Since I am a beginner to AWS cloud services, it'd be great if someone can provide a possible solution for the above in detail. Also if possible, please provide a solution which would work incase of a large-scale deployment of the above project.
The parts you may be missing are missing are 1) MQTT messaging, which is the IoT message broker service provided by IoT Core, and 2) the need for an application program interface to handle creating and activating devices.
MQTT is a lightweight and widely adopted messaging protocol that is designed for constrained devices.
Your devices (things) will need to communicate back to AWS via MQTT messages, which are captured and processed by the IoT Rules service.
These rules typically trigger Lambda functions, which implement the process logic you need for your application.
See https://mqtt.org/ and https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html
2} you will want to implement a simple API to handle device activation. The AWS API Gateway service makes it easy to implement APIs. For example, you can implement an endpoint for POST /device/ to create a device. That endpoint can trigger a Lambda handles device provisionsing.
Related
I have developed an electronic device that connects to AWS IoT Core service through MQTT protocol. Now I can connect, publish and subscribe topics.
The device has some inputs (i.e. buttons) and outputs (i.e. relays).
Now I want to develop a mobile or web application to let an authorized user read inputs status and read/write outputs. More than one user could be authorized to control a single device.
What it's not clear to me, but I have no knowledge of backend technologies, is how to manage users, i.e. mobile/web app.
One strategy is to create a new Thing for each User, with its own certificate. The web/mobile app uses MQTT protocol as the electronic device. Topics can be used as a chat channel: the user asks for inputs status and the device answers with updated status.
Another strategy could be to create a HTTP API (maybe with AWS Gateway API) that web/mobile apps use. The API is programmed to publish and subscribe topics. The user should have a IAM access.
I know I could user Device Shadow, but I don't think it's a good soltion in my use case. The status of inputs can change frequently (maybe 1000 times a day), but the user wants to retrieve the status through the mobile/web app only sometimes (one a day or less frequently). It's seems it's useless to send so many messages to keep the shadow updated.
you can use to connect your WebApp with AWS IoT via MQTT(publish and subscribe methods are also available in the system).
Front end library documentation
Please Refer the link and see if this solves your problem https://medium.com/#serverlessguru/serverless-real-time-reactjs-app-aws-iot-mqtt-17d023954045.
Considering there are a bunch of mobile devices (Android and iOS) that need to be sending data to AWS-IoT via MQTT custom authorizer to check for valid token based on business logic is to be implemented.
Referring to IoT Apps with AWS IoT and Websockets, slide 56/60 shows the registration process where a lambda is used to create and attach a policy.
Does this indicate that the lambda will create a new AWS-IoT device and attach the policy to that device? Which results in creating a new AWS-IoT device everytime a new user signs up?
Referring to How to Use Your Own Identity and Access Management Systems to Control Access to AWS IoT Resources
, you can create your custom-authorizer. Once that's done, you can use aws/aws-iot-device-sdk-js to test out the authorizer by using this piece of code.
Using custom authorizer doesn't require you to create or have any
things registered in your account.
You are billed for your connections, messages etc as per AWS's IoT pricing.
However this is a mqtt over wss implementation and not a mqtt only implementation. As of now, the mqtt only implementation still seems to require certificates during connection to the AWS-IoT broker.
To expand on user2967920's answer:
You do not need to create devices when using AWS IoT Core. AWS Amplify PubSub actually uses IoT as a general-purpose MQTT broker. No devices will be created by using a custom authorizer*.
The policy returned by your custom authorizer is not persisted. Think of it as a dynamic, ad-hoc policy created for a specific connection.
For an example of using AWS IoT on Android and iOS, check out the documentation of AWS Amplify PubSub (which uses AWS IoT Core internally). On iOS:
iotDataManager.connectUsingWebSocket(withClientId: uuid,
cleanSession: true,
customAuthorizerName: "<name-of-the-custom-authorizer>",
tokenKeyName: "<key-name-for-the-token>",
tokenValue: "<token>",
tokenSignature: "<signature-of-the-token>",
statusCallback: mqttEventCallback)
*Obviously you can create devices in the lambda function if you choose to, just like you can use any other AWS API.
I understand Aws IoT from a device perspective that it should connect with a certificate and sync with its shadow and push messages to topics. But I struggle to understand from the perspective of a Web App or a Mobile App. My basic questions are,
How to register an Application with AWS IoT?
What is the Authentication and Authorization mechanism for Applications?
How to grant an App access to a set of devices?
How can the App listen to messages from devices of interest?
How can the App send a command to device? I understand this is by
updating Device's shadow?
Generally, if you want to connect any application (Mobile, Web,...) to any AWS Services, you should consider two things. First, using AWS SDKs which you can find them here. Second, the application should have correct Authentication and Authorization attached to a user/group defined in IAM or Cognito.
In regards to your questions:
For registering an application in AWS IoT, first it should be defined as an IoT thing and with correct policies, it can publish/subscribe to topics. Consider that, you should put certificates into the device. For connecting to AWS IoT services you can use AWS IoT SDKs, more information can be found here.
2 & 3. It depends on your project. You can define your application to have access to a specific thing in AWS IoT or you can define it to access all things in AWS IoT service (using IAM, Cognito or Temporary Security Credentials). You should consider correct policies for your application. You can find more information about authentication and authorization for AWS IoT here.
AWS IoT has MQTT broker which handles the communication between entities that publish or subscribe to a topics. So if the application wants to get data from specific device, it should subscribe to the topic that things publish to.
It can be done by publishing data to a topic which thing has subscribed to.
Thing shadow is actually the digital twin of actual thing so it should contains information which is related to the thing such as available resources, etc.
I am trying to setup the backend services for consumer IoT device which includes the following activities (4 main high level services). These services are ultimately consumed by a web application or from mobile application through REST API's.
Instead of reinventing the wheel, I am evaluating AWS offerings which should partially or fully match these services. With my limited knowledge and research, I was able to find few AWS offering that matches, however they may not be complete and the most appropriate ones, and hence need advice. Below are the services and my findings.
Self user registration - Cognito with User Pools
Device provisioning (Adding/attaching one or more devices to a user) - No idea on how to handle this with AWS. Can we add the devices as user attributes ? or should we handle them at AWS IoT offering ?
Authentication & Authorization of users and devices - Again Cognito
Secure MQTT broker service for communication between device and users - AWS IoT seems to be matching, however I am not very much aware on configuring them and setting up user level access controls through API's. Can we use AWS IoT here ?
Device provisioning can be generally done in three ways:
Manually, by defining an IoT things in IoT Services. Certificates should be placed on IoT devices.
By using AWS IoT SDKs. AWS Credentials (or Temporary Security Credentials) is needed.
Using AWS CLI.
In IoT services, you can put devices together by adding them in a same group. User can access to the IoT device's data in two ways:
IoT devices save data in Databases and user can access databases and retrieve data.
Defining the application(Mobile App, ...) as an IoT device and putting it in the same group, so the application can subscribe/publish to the topics of different devices. Consider that, all IoT devices have credentials (CA, private and public key) which should be place on IoT devices and it will be needed during communication with AWS Broker. Also the policies for each device should be attached correctly.
I'm trying to create a collaborative web application where multiple users can work together on various (shared) projects. So far I have a JavaScript client and one local jWebSocket server.
To remain scalable upon deployment, I thought of two options:
Option 1
I can use AWS IoT instead of multiple jWebSocket servers. Publishing changes of a project is easy, I would just need to publish to e.g. /project/{project-id}. But how would the traditional request-response mechanism work?
The Problem: EC2 instances handling requests would be reachable by publishing to distinct topics (e.g. /server/1). But when the JS client connects to AWS IoT, it does not know of any EC2 instance to send requests to. How could I assign each client to an instance/topic?
Option 2
Run jWebSocket servers on multiple EC2 instances behind an AWS Application Load Balancer. The balancer would simply assign each client to a server and the traditional request-response flow would not be a problem. But what about pushing changes?
The Problem: Because each server has its own set of connected clients, it can not push changes to clients connected to another server.
Remarks
Mixing jWebSocket to send requests to and AWS IoT to receive events from seems like a sloppy solution.
I assume I can programmatically adapt the IoT policies per cognito identity to allow/deny the subscription to specific projects.
Using AWS Lambda and relinquishing servers altogether is not an option due to the high latency introduced by Lambda (if you've made different experiences, please share).
Related posts
IoT request response protocol
Thanks for any thought you could give me on this issue.
I've got it. The first suggestion in this question pointed me into the right direction. The solution allows all clients to maintain a direct WebSocket connection to the server they originally connected to, without subscribing to specific topics.
It works as follows:
When a client connects to a server, the server subscribes to the client's channel
If a server needs to send a message to a client that is not connected, it publishes that message to the client's channel
(you guessed it) The server that is subscribed to the channel can then process the message on the first server's behalf
"Pusher" in the diagram describes this SaaS, but can of course be replaced by any other messaging service.