I am trying to setup the backend services for consumer IoT device which includes the following activities (4 main high level services). These services are ultimately consumed by a web application or from mobile application through REST API's.
Instead of reinventing the wheel, I am evaluating AWS offerings which should partially or fully match these services. With my limited knowledge and research, I was able to find few AWS offering that matches, however they may not be complete and the most appropriate ones, and hence need advice. Below are the services and my findings.
Self user registration - Cognito with User Pools
Device provisioning (Adding/attaching one or more devices to a user) - No idea on how to handle this with AWS. Can we add the devices as user attributes ? or should we handle them at AWS IoT offering ?
Authentication & Authorization of users and devices - Again Cognito
Secure MQTT broker service for communication between device and users - AWS IoT seems to be matching, however I am not very much aware on configuring them and setting up user level access controls through API's. Can we use AWS IoT here ?
Device provisioning can be generally done in three ways:
Manually, by defining an IoT things in IoT Services. Certificates should be placed on IoT devices.
By using AWS IoT SDKs. AWS Credentials (or Temporary Security Credentials) is needed.
Using AWS CLI.
In IoT services, you can put devices together by adding them in a same group. User can access to the IoT device's data in two ways:
IoT devices save data in Databases and user can access databases and retrieve data.
Defining the application(Mobile App, ...) as an IoT device and putting it in the same group, so the application can subscribe/publish to the topics of different devices. Consider that, all IoT devices have credentials (CA, private and public key) which should be place on IoT devices and it will be needed during communication with AWS Broker. Also the policies for each device should be attached correctly.
Related
I got some problems when try to use AWS IOT Core.
Suppose that I have thousands iot devices and 1 mobile app, 1 backend server.
My thought is I'll provide a common key for devices which has connect policy only, then when their fist connection with aws iot, it wil automate register new credentials with more roles like publish/subscribe.
Is that right?
I've follow some guide on aws documents like JITR but still not work.
My thought is I'll provide a common key for devices which has connect policy only, then when their fist connection with aws iot, it wil automate register new credentials with more roles like publish/subscribe.
It must to register with AWS IoT via certificate signed by your own certificate(CA).
AWS IoT allows the use of a single certificate for an unlimited number of devices to simplify testing but this pattern is strongly discouraged for production use.
I am working on a project wherein a mobile app (Flutter app) should create a unique identity (IOT thing) of my IOT device machine (on AWS) as soon as the user logins onto the app and also it should establish a connection (and subsequent communications) with the isolated IOT device after its configuration (Somewhat similar to Google Home configuration process).
The process starts with user logging onto the app (using AWS Amplify/Congnito to automatically add the user account in the cloud). Subsequently, the app needs to configure the IOT device (ESP32) and send Wifi credentials of home network by connecting to ESP's WiFi AP. However, since both the app and IOT device are isolated from each other (except during the configuration process), I don't have much idea on how exactly will mobile app connect (creating a unique IOT thing automatically) and communicate with the isolated IOT device over AWS IOT cloud.
I have worked with some of the AWS services like AWS Lambda, DynamoDB, AWS IOT for quite a while, hence I am aware of the basics. One of the possible solutions for the above maybe Fleet Provisioning by a Trusted User feature provided by AWS IOT (I did read it's documentation, but still confused). We can also use ESP32's Bluetooth feature for the app to scan nearby devices with which it needs to connect with, but I am not sure how will the connection establish through AWS cloud.
Since I am a beginner to AWS cloud services, it'd be great if someone can provide a possible solution for the above in detail. Also if possible, please provide a solution which would work incase of a large-scale deployment of the above project.
The parts you may be missing are missing are 1) MQTT messaging, which is the IoT message broker service provided by IoT Core, and 2) the need for an application program interface to handle creating and activating devices.
MQTT is a lightweight and widely adopted messaging protocol that is designed for constrained devices.
Your devices (things) will need to communicate back to AWS via MQTT messages, which are captured and processed by the IoT Rules service.
These rules typically trigger Lambda functions, which implement the process logic you need for your application.
See https://mqtt.org/ and https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html
2} you will want to implement a simple API to handle device activation. The AWS API Gateway service makes it easy to implement APIs. For example, you can implement an endpoint for POST /device/ to create a device. That endpoint can trigger a Lambda handles device provisionsing.
Considering there are a bunch of mobile devices (Android and iOS) that need to be sending data to AWS-IoT via MQTT custom authorizer to check for valid token based on business logic is to be implemented.
Referring to IoT Apps with AWS IoT and Websockets, slide 56/60 shows the registration process where a lambda is used to create and attach a policy.
Does this indicate that the lambda will create a new AWS-IoT device and attach the policy to that device? Which results in creating a new AWS-IoT device everytime a new user signs up?
Referring to How to Use Your Own Identity and Access Management Systems to Control Access to AWS IoT Resources
, you can create your custom-authorizer. Once that's done, you can use aws/aws-iot-device-sdk-js to test out the authorizer by using this piece of code.
Using custom authorizer doesn't require you to create or have any
things registered in your account.
You are billed for your connections, messages etc as per AWS's IoT pricing.
However this is a mqtt over wss implementation and not a mqtt only implementation. As of now, the mqtt only implementation still seems to require certificates during connection to the AWS-IoT broker.
To expand on user2967920's answer:
You do not need to create devices when using AWS IoT Core. AWS Amplify PubSub actually uses IoT as a general-purpose MQTT broker. No devices will be created by using a custom authorizer*.
The policy returned by your custom authorizer is not persisted. Think of it as a dynamic, ad-hoc policy created for a specific connection.
For an example of using AWS IoT on Android and iOS, check out the documentation of AWS Amplify PubSub (which uses AWS IoT Core internally). On iOS:
iotDataManager.connectUsingWebSocket(withClientId: uuid,
cleanSession: true,
customAuthorizerName: "<name-of-the-custom-authorizer>",
tokenKeyName: "<key-name-for-the-token>",
tokenValue: "<token>",
tokenSignature: "<signature-of-the-token>",
statusCallback: mqttEventCallback)
*Obviously you can create devices in the lambda function if you choose to, just like you can use any other AWS API.
I understand Aws IoT from a device perspective that it should connect with a certificate and sync with its shadow and push messages to topics. But I struggle to understand from the perspective of a Web App or a Mobile App. My basic questions are,
How to register an Application with AWS IoT?
What is the Authentication and Authorization mechanism for Applications?
How to grant an App access to a set of devices?
How can the App listen to messages from devices of interest?
How can the App send a command to device? I understand this is by
updating Device's shadow?
Generally, if you want to connect any application (Mobile, Web,...) to any AWS Services, you should consider two things. First, using AWS SDKs which you can find them here. Second, the application should have correct Authentication and Authorization attached to a user/group defined in IAM or Cognito.
In regards to your questions:
For registering an application in AWS IoT, first it should be defined as an IoT thing and with correct policies, it can publish/subscribe to topics. Consider that, you should put certificates into the device. For connecting to AWS IoT services you can use AWS IoT SDKs, more information can be found here.
2 & 3. It depends on your project. You can define your application to have access to a specific thing in AWS IoT or you can define it to access all things in AWS IoT service (using IAM, Cognito or Temporary Security Credentials). You should consider correct policies for your application. You can find more information about authentication and authorization for AWS IoT here.
AWS IoT has MQTT broker which handles the communication between entities that publish or subscribe to a topics. So if the application wants to get data from specific device, it should subscribe to the topic that things publish to.
It can be done by publishing data to a topic which thing has subscribed to.
Thing shadow is actually the digital twin of actual thing so it should contains information which is related to the thing such as available resources, etc.
Brief Solution:
I am storing IOT Device location and Service Provider Cars location in Dynamo DB via AWS Kinesis.
I am mapping One User with a specific service providers Cars and dispatching the Car to user’s shared location.
Problem: I need to track these mapped (service provider car and user location) on real time on service provider dashboard.
1. Does DynamoDB offers any direct API to publish and track these location real time?
2. Do I need to expose these mapped location and track then on dashboard via AWS Kinesis? Does AWS Kinesis offer such APIs?
Any suggestions?
If you are using MQTT IoT Core from AWS you have other options.
Subscribe to MQTT topic directly via WebSockets by AWS JS library.
You can Use Cognito to manage users and to have some acces to AWS services, this way you can get credentials to subscribe to the topic in MQTT using WebSockets like this link describe.
https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html#mqtt-ws
Having own Users manager and using a EC2 Instance.
You can create an EC2 instance and put an AppServer with NodeJs for example and use SocketIO to comunicate to the WebBrowser of users with your own manager, this way they can receive realtime info, whatever you want. You can then use an AWS MQTT IoT NodeJS client and subscribe to the topics you want and just send it by WebSockets of SocketIO server (All this in the same WebApp). This way you need to consider number of users and data in traffic. You can have topics by users for example topics like this "car/tracking/mycarId" where mycarId is an unique Id that identifies this user/car and you canonly subscribe to these you want at the same time, this way you are not subscribed to all topics of your cars and you are not receiving innecesary data and you dont need so much proccess.
I have implemented the second one but now Im migrating my realtime block to Cognito and MQTT via WebSockets.
Regards, Héctor