“AWS IoT Core is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices” (Ref: AWS website )
This post will look at registering a device and related certificates, policies in AWS IoT through a program. Go ahead and enjoy!!
Prerequisites:
- High-level understanding of IoT (Summing up IoT)
- Understanding of PKI & use of ‘openssl’ for generating certificates (Public Key Infrastructure: What & How?)
- AWS account (I used free tier)
- Go to https://aws.amazon.com/ and click “Sign In to Console”
2. If you do not have an AWS account, create a new account.
You can sign in as ‘Root User’ or an ‘IAM’ user.
Root user has all the privileges, analogous to a system administrator account.
Hence it is advisable to create an IAM user, with limited privileges and use it for our regular tasks.
This is analogous to creating user accounts on our systems with limited permissions, instead of giving admin access to every user.
Also make sure to enable 2-factor authentication for your AWS root account.
I would create an IAM user for my IoT related activity and use the same.
3. Let us create an IAM user account. Sign in with your root credentials.
Goto “Services -> IAM”
4. Goto “Users -> Add User”
We are creating a user for accessing our AWS account. The user will be granted full access to IoT services.
Note that this user would not be able to access any service, other than IoT core. If you need to access other services, for e.g. EC2, make sure to give the appropriate permissions to the user.
Click on the username to get the details of the user. You will either need the 12-digit account ID or an account alias to login.
How to create account alias:
Creating and Deleting Aliases (Console)
Once the user is created, logout from your root account and login back with the newly created user account, using the 12-digit ID or an account alias.
We could have used AWS ‘roles’ for the same purpose.
“An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2”. (Ref: AWS User vs Role )
Since I did not had any existing account, I chose to create user.
5. Make sure to create an access key for the account. This access and secret key will be used to connect to the platform programmatically.
The other way would be to create a ‘role’ with required permissions and then use it with some other AWS entity.
Now that we have seen and understood the basics of registering an IoT device onto AWS IoT core using the web interface, the next section will detail the same operations programmatically. Although I would be using Golang as the programming language, but you can choose any language of your choice supported by AWS.
The following steps are needed to do the operations via the program:
- Enable AWS API access in your program
- Register CA certificate. Note that AWS gives the option of inbuilt CA or to register an external CA. We will register our own CA.
- Register device and policy
First things First
Before we jump on to our journey ahead, we will install a command line interface for AWS, something similar to a bash, powershell.
Download the installer from AWS CLI 
I’ll go ahead and use the windows installer.
After the installation, we need to configure it to allow access to the AWS platform. The access-key and the secret were created in step 5 above.
Enable API Access
func New(p client.ConfigProvider, cfgs ...*aws.Config) *IoT
- Get a AWS registration code. We will get this through the console.
- We need to create a verification certificate with this registration code. The code should go as the common name(CN) in the certificate. This certificate should be signed by the CA we want to register.
func (c *IoT) RegisterCACertificate(input *RegisterCACertificateInput) (*RegisterCACertificateOutput, error)
Registers a CA certificate with AWS IoT. This CA certificate can then be used to sign device certificates, which can be then registered with AWS IoT.
Register device and policy
func (c *IoT) RegisterThing(input *RegisterThingInput) (*RegisterThingOutput, error)
Provisions a thing in the device registry.
If everything goes well, you should now be able to see your thing in AWS IoT.
The code is available at github
Hope this gives a fair understanding of the registration process for devices. AWS provides plethora of other tools and features for working with IoT devices such as fleet management, bulk registration, rules engine, device defender(security), greengrass(edge) etc. I recommend checking out AWS resources for more details.
You must be logged in to post a comment.