Skip to content
Snippets Groups Projects

Changes

Page history
  • New page
  • Templates
    • add wiki pages authored by Thierry's avatar Thierry
    Hide whitespace changes
    Inline Side-by-side
    LOM2M/AWS-IoT-Core-Device-provisionning.md 0 → 100644
    View page @ d839ec43
    # Device management & provisioning with AWS IoT Core
    ## _Manual_ provisioning
    This procedure is the shortest one and is indicated when a few devices are to be deployed or tested. The guide will take you through different steps on the AWS IOT web console.
    1. Create thing in IoT Core : give a name to your object
    2. Create certificate & keys : generate certificates and keys to be used for the secure connection
    3. (create &) Attach a policy to the certificate / keys : attach security policy to your object to enable what you need to use to communicate
    4. Send data from object to broker : once you are done, you can send data (using any MQTTS client or the AWS SDK provided). Use Amazon CA & specific cert. + private key (SSL/TLS session) to establish a secure connection to the AWS broker, then send data to the topics you want (the topics must be authorized in the policy attached to your object).
    Link to the complete documentation:
    [https://docs.aws.amazon.com/iot/latest/developerguide/provision-w-cert.html](https://docs.aws.amazon.com/iot/latest/developerguide/provision-w-cert.html "Provision a device with a certificate")
    You can use the provided SDK if needed to test separately.
    **For now, (version 0.7.X of LOM2M)** the provisioning is done manually, *i.e.* a certificate and a pair of keys is used to manually provision the device to use for test purpose.
    ## Automated provisioning
    This procedure is a bit more complex but ensures a scalable and generic provisioning.
    Different elements are to be used:
    - Security policy for registration
    - Security policy to apply once the registration is completed
    - Provisioning template: model of your object
    - Global registration certificate & keys
    Please refer to the full documentation available on AWS: [AWS documentation on fleet provisioning](https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html)
    N.B.: The API / doc seems to have been updated recently, refer to it for up-to-date documentation.
    1. Create a policy to attach to any new device
    This policy must define rights only for a device to register. This policy will enable the object to register at first boot and to ask for a certificate and pair of keys to use to send data later.
    This policy will apply to all the devices that will register and refer to the model·s that refer to this policy.
    Example of a basic policy enabling oneM2M communications:
    ```json
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "iot:Publish",
    "iot:Receive"
    ],
    "Resource": [
    "arn:aws:iot:us-west-2:566034050889:topic//oneM2M/req/*",
    "arn:aws:iot:us-west-2:566034050889:topic//oneM2M/resp/*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "iot:Subscribe"
    ],
    "Resource": [
    "arn:aws:iot:us-west-2:566034050889:topicfilter//oneM2M/req/*",
    "arn:aws:iot:us-west-2:566034050889:topicfilter//oneM2M/resp/*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "iot:Connect"
    ],
    "Resource": [
    "arn:aws:iot:us-west-2:566034050889:client/<client-id-patter>"
    ]
    }
    ]
    }
    ```
    2. Create a provisioning template representing your type of device
    For more details on this procedure do check the documentation: [https://docs.aws.amazon.com/iot/latest/developerguide/provision-template.html](https://docs.aws.amazon.com/iot/latest/developerguide/provision-template.html "Provision template")
    1. Define the object and specific attributes you may use later
    2. Attach the policy to the model (policy section)
    Here is a basic example of device provisioning template using the previous policy:
    ```json
    {
    "Parameters": {
    "ThingName": {
    "Type": "String"
    },
    "SerialNumber": {
    "Type": "String"
    },
    "cse-id": {
    "Type": "String"
    }
    },
    "Resources": {
    "thing": {
    "Type": "AWS::IoT::Thing",
    "Properties": {
    "AttributePayload": {
    "cse-id": {
    "Ref": "cse-id"
    }
    },
    "ThingTypeName": "gw-type",
    "ThingName": {
    "Ref": "ThingName"
    }
    }
    },
    "certificate": {
    "Properties": {
    "CertificateId": {
    "Ref": "AWS::IoT::Certificate::Id"
    },
    "Status": "Active"
    },
    "Type": "AWS::IoT::Certificate"
    },
    "policy": {
    "Properties": {
    "PolicyName": "test-pub-sub-oneM2m-Policy"
    },
    "Type": "AWS::IoT::Policy"
    }
    }
    }
    ```
    In this example the device will provide a ThingName, a SerialNumber, and a CSE-ID at registration. This can be used to refer the device, etc.
    2. Create a certificate + keys + policy for the devices to register
    To enable the dynamic provisioning of devices you have to create a dedicated certificate to embed on your devices. To go along with this certificate, you need to attach a provisioning policy.
    Here is an example of policy for registration purpose:
    ```json
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "iot:Connect",
    "Resource": "arn:aws:iot:us-west-2:566034050889:client/*"
    },
    {
    "Effect": "Allow",
    "Action": [
    "iot:Publish",
    "iot:Receive"
    ],
    "Resource": [
    "arn:aws:iot:us-west-2:566034050889:topic/$aws/certificates/create/*",
    "arn:aws:iot:us-west-2:566034050889:topic/$aws/provisioning-templates/modele-gw-2/provision/*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": "iot:Subscribe",
    "Resource": [
    "arn:aws:iot:us-west-2:566034050889:topicfilter/$aws/certificates/create/*",
    "arn:aws:iot:us-west-2:566034050889:topicfilter/$aws/provisioning-templates/modele-gw-2/provision/*"
    ]
    }
    ]
    }
    ```
    You can filter the client IDs authorized to connect to the broker and to ask for registration.
    This policy authorizes requests from any clients to register and create keys and certificate for devices using the provisioning template `modele-gw-2`.
    3. Roles and IAM for automatic creation of new certificates
    In order to automate the process of provisioning, a role has to be created to enable automatic creation of certificates and keys for each new device. Refer to the AWS documentation on the procedure to do so. Basically, the aim is to authorize the automation of some specific operations such as certificate creations etc.
    All the operations listed above can be done directly on the web dashboard of AWS or using fleet provisioning APIs.
    Cf. [https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html](https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html)
    \ No newline at end of file