AWS IoT Connector

Introduction

AWS IoT is one of the most popular IoT platforms out there. With its native integration with a large set of AWS IoT services, it’s one of the most comprehensive offerings amongst IoT platforms available today. Security is built-in from the ground up in AWS, and therefore, it's no surprise that the preferred method of connecting IoT devices to AWS IoT is MQTTS with certificate-based authentication. AWS strongly recommends using individual certificates for each device, which also makes the testing and prototyping complicated for a large set of devices. Not anymore.

Introducing AWS IoTIFY connector

AWS IoT connector from IoTIFY simplifies the entire process of Things creation, certificate enrollment and template creation. All you need is an IAM credential and you are good to deploy and test as many virtual IoT devices as you need on the AWS IoT platform.

With IoTIFY Connector for AWS, managing and deploying certificates for your virtual IoT devices becomes a breeze. All you need is to pass the right IAM credentials and IoTIFY will automatically manage things creation, provisioning, certificate enrollment, policy attachment and all other steps required to create a functional IoT simulation environment. Here’s how it works:-

Step 1. Specification

To get started head to the AWS console and create our new user. Go to the IAM service. Now go to the Users page and click on Add Users.

On the page that opens, write IoTIFY for the user name and click next. On the next page choose the Attach policies directly option and then select the Create policy button.

Now switch to the JSON tab and paste the following JSON snippet.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iot:DetachThingPrincipal",
                "iot:CreateThing",
                "iot:DeleteThing",
                "iot:AttachThingPrincipal",
                "iot:DeleteCertificate",
                "iot:AttachPolicy",
                "iot:AddThingToThingGroup",
                "iot:CreatePolicy",
                "iot:DescribeEndpoint",
                "iot:CreateThingGroup",
                "iot:ListPrincipalThings",
                "iot:DetachPrincipalPolicy",
                "iot:CreateThingType",
                "iot:CreateKeysAndCertificate",
                "iot:UpdateCertificate",
                "iot:ListCertificates"
            ],
            "Resource": "*"
        }
    ]
}

Now click Next, we can skip the Tags page so click on Next again. Finally, on the Review policy page give the policy a name. Let’s call this the IoTIFY_Policy. Now click on Create Policy and the policy will be created.

Now go back to the page where we were attaching a policy to our user. While still on the Attach policies directly option, click on the reload button so that the new policy we just created is available in the list. Once the list is reloaded, search for IoTIFY and select the policy and click Next.

Finally, on the review page check the details and click on Create User.

Now that our user is created we will generate an access key so that the IoTIFY AWS connector can have permission to talk to AWS.

In the list of users, click on the user we just created. This will open all the settings related to the user. Go to the Security credentials tab and click on the Create access key button.

Now a setup wizard will guide you through the process on the first page select the Other option and click on Next. On the second page, you can provide a description for the access key, or leave it blank and click on the Next button. Now our Access key and Secret access key are ready. You can download the CSV file for ease. Once you have stored both keys, click on Done.

Click on the Create from Sample button on IoTIFY in the top right corner. Then choose the aws-iot-connector sample from the list. Now click on the Create button.

This will open up a sidebar. Paste the Access Key and the Secret access key here along with the AWS region you are using. Click on Create and the IoTIFY AWS connector will be created.

Now all we need to do is run this connector and it will automatically create our devices on AWS IoT. Before running it though it is a good idea to create a Run Setting for the same. Click on the Run Settings option on the left bar. Now edit the default Run Setting and change the number of Clients to the number of devices you want to register (In this case we will set it as 5) and keep the number of Iterations to 5 (which is the minimum required to run the connector). Now click on the Save button on the top right.

Go back to the Tests page and open the newly created aws-iot-connector. Now we can run this connector as is. You can also go to the createThing stage and change the name of the things that will be registered on AWS IoT (leave the client() option as it adds a number after the thing name so that they are unique). Now just wait for the test to complete, you can check the Result section for the current status of the test.

Once the test has been completed, you can check the glob to see the certificates for the devices. Note the “aws_iot_endpoint” entry in the glob as you will have to replace this in the protocol tab of the devices you want to connect to AWS.

Under the hood

Upon receiving the request to provision AWS IoT devices in the specified region, IoTIFY will do the following steps:-

1. IoTIFY will create a new device type iotify_type in the AWS IoT region.

2. IoTIFY will create a new Thing group iotify in the backend. This group will be associated with all virtual devices.

3. A new certificate policy IOTIFY_AUTOMATED_POLICY will be created which will be subsequently attached to all newly created certificates.

4. A new AWS IoT thing will be created with the name iotify_[deviceId] and will have a device certificate enrolled and attached to it.

5. The certificate’s private key for each new thing will be stored in IoTIFY glob storage with the key pattern aws_iotify_%d_key. The certificate itself will be stored as aws_iotify_%d_cert, where %d will be the client index, starting from 0.

Step 2. Device Models

To connect any devices to AWS, we need to use the keys and certificates of those devices that were provisioned by AWS. To do this, you can follow these steps:

In the Protocol tab of the device template, choose Certificate under the Security section. Now set the Private key as {{state.__$key}} and Certificate as {{state.__$cert}}. What does this do? It means that the value of the private key and certificate will be dynamically populated once the template starts running. How? Add the following piece of code in the init stage of your device model. This will fetch the private keys and certificates from the glob and add them to the authentication parameters.

{ 
  state.__$key = glob.get( "aws_iotify_"+client()+"_key");    
  state.__$cert = glob.get( "aws_iotify_"+client()+"_cert");    
}

This will fetch the private keys and certificates from the glob and add them to the authentication parameters. Since each certificate and key is unique, a client() function is used to retrieve the current index of the client and populate the specific data for it.

The use of __$ pattern ensures that key and certificate objects are not displayed in the state object in the result. If you would like to see the values, you could change the pattern with something else.