I am new to AWS IOT. I'm working on a project where I use BeagleBone boards as device gateways which will connect to AWS IoT. I wish to use either the C or C++ device SDKs on the boards to communicate with AWS IoT.
The problem I have is with the provisioning and authentication phase. It is easy to create a "thing" via AWS IoT cloud, generate keys, X.509 certificates for the device and then copy them to the device.
However, it would be ideal to generate the keys and certificate on the device itself during provisioning (this is possible of course), but then automatically communicate with AWS IoT via the SDKs and assign the X.509 certificate to a "thing" already registered there.
Is there any API for doing this? I feel there is a lack of application examples out there. Thanks in advance for any suggestions.
Related
I've a fleet of 200+ devices which I intend to migrate to aws iot core platform but they are scattered all over the state currently, I need a way to migrate those devices to aws iot core platform without the hastle of providing each device a privateKey, device certificate & rootCA certificate provided by aws to authenticate the device when it connects.
I need a easier way to do this process using aws sdk and react js, where i create a form asking the operator to fill the type & the group of things in which it belongs to.
The policy each device will have is :-
Connect & Publish
Is there any way to do it? Any help would be highly appreciated. Thanks
I got some problems when try to use AWS IOT Core.
Suppose that I have thousands iot devices and 1 mobile app, 1 backend server.
My thought is I'll provide a common key for devices which has connect policy only, then when their fist connection with aws iot, it wil automate register new credentials with more roles like publish/subscribe.
Is that right?
I've follow some guide on aws documents like JITR but still not work.
My thought is I'll provide a common key for devices which has connect policy only, then when their fist connection with aws iot, it wil automate register new credentials with more roles like publish/subscribe.
It must to register with AWS IoT via certificate signed by your own certificate(CA).
AWS IoT allows the use of a single certificate for an unlimited number of devices to simplify testing but this pattern is strongly discouraged for production use.
I am planning to connect my IOT device (ESP32) to AWS IOT Core through a Flutter app by automatically creating the required IOT Thing and generating the required certificates and Key pairs.
The device and app are isolated (except during a configuration process) and I don't prefer any hardcoding of IOT Thing 'name'. I am following the documentation of AWS IOT (Provisioning devices that don't have device certificates using fleet provisioning). Till now, I have created a Fleet Provisioning Template on AWS (that will create a unique IOT Thing after provisioning), attached policies in it and also attached a Provisioning claim certificate. This provisioning claim certificate and attached private keys have been hardcoded in my ESP32 code (using Arduino IDE).
The further part of documentation states that "The device should use the AWS IoT Device and Mobile SDKs to connect to and authenticate with AWS IoT using the provisioning claim certificate that is installed on the device".
My Question is - Since I am using Arduino IDE for my ESP32 code, what exactly should I include in my code for device provisioning part. Also, how and where does the device connect using provisioning claim certificate and how exactly will the device get new certificates and Keys for future connections (Device provisioning using MQTT API can be one of the solution but how should it be used in Arduino IDE?)
I guess you are generating RSA key pair on device itself? Who do you want to sign the device certificate - AWS IoT Core or your own KMS provider?
If for the above questions, the answer is "Yes" then,
You may need to register your CA certificate (who is signing your device certificate) on AWS IoT Core
Configure JITP template on AWS IoT Core against the CA certificate.
The template you can configure such a way that the JITP process reads device certificate's Subject CN (assuming CN will be your device name) and map the CN to thing name. Also, it will assign the required policy.
This all will happen first time when you connect your device using MQTT protocol providing device certificate (along with certificate chain).
Here is reference link for JITP.
I am working on a project wherein a mobile app (Flutter app) should create a unique identity (IOT thing) of my IOT device machine (on AWS) as soon as the user logins onto the app and also it should establish a connection (and subsequent communications) with the isolated IOT device after its configuration (Somewhat similar to Google Home configuration process).
The process starts with user logging onto the app (using AWS Amplify/Congnito to automatically add the user account in the cloud). Subsequently, the app needs to configure the IOT device (ESP32) and send Wifi credentials of home network by connecting to ESP's WiFi AP. However, since both the app and IOT device are isolated from each other (except during the configuration process), I don't have much idea on how exactly will mobile app connect (creating a unique IOT thing automatically) and communicate with the isolated IOT device over AWS IOT cloud.
I have worked with some of the AWS services like AWS Lambda, DynamoDB, AWS IOT for quite a while, hence I am aware of the basics. One of the possible solutions for the above maybe Fleet Provisioning by a Trusted User feature provided by AWS IOT (I did read it's documentation, but still confused). We can also use ESP32's Bluetooth feature for the app to scan nearby devices with which it needs to connect with, but I am not sure how will the connection establish through AWS cloud.
Since I am a beginner to AWS cloud services, it'd be great if someone can provide a possible solution for the above in detail. Also if possible, please provide a solution which would work incase of a large-scale deployment of the above project.
The parts you may be missing are missing are 1) MQTT messaging, which is the IoT message broker service provided by IoT Core, and 2) the need for an application program interface to handle creating and activating devices.
MQTT is a lightweight and widely adopted messaging protocol that is designed for constrained devices.
Your devices (things) will need to communicate back to AWS via MQTT messages, which are captured and processed by the IoT Rules service.
These rules typically trigger Lambda functions, which implement the process logic you need for your application.
See https://mqtt.org/ and https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html
2} you will want to implement a simple API to handle device activation. The AWS API Gateway service makes it easy to implement APIs. For example, you can implement an endpoint for POST /device/ to create a device. That endpoint can trigger a Lambda handles device provisionsing.
I understand Aws IoT from a device perspective that it should connect with a certificate and sync with its shadow and push messages to topics. But I struggle to understand from the perspective of a Web App or a Mobile App. My basic questions are,
How to register an Application with AWS IoT?
What is the Authentication and Authorization mechanism for Applications?
How to grant an App access to a set of devices?
How can the App listen to messages from devices of interest?
How can the App send a command to device? I understand this is by
updating Device's shadow?
Generally, if you want to connect any application (Mobile, Web,...) to any AWS Services, you should consider two things. First, using AWS SDKs which you can find them here. Second, the application should have correct Authentication and Authorization attached to a user/group defined in IAM or Cognito.
In regards to your questions:
For registering an application in AWS IoT, first it should be defined as an IoT thing and with correct policies, it can publish/subscribe to topics. Consider that, you should put certificates into the device. For connecting to AWS IoT services you can use AWS IoT SDKs, more information can be found here.
2 & 3. It depends on your project. You can define your application to have access to a specific thing in AWS IoT or you can define it to access all things in AWS IoT service (using IAM, Cognito or Temporary Security Credentials). You should consider correct policies for your application. You can find more information about authentication and authorization for AWS IoT here.
AWS IoT has MQTT broker which handles the communication between entities that publish or subscribe to a topics. So if the application wants to get data from specific device, it should subscribe to the topic that things publish to.
It can be done by publishing data to a topic which thing has subscribed to.
Thing shadow is actually the digital twin of actual thing so it should contains information which is related to the thing such as available resources, etc.