1 introduction

The AWS IoT solution is a fully hosted cloud platform that enables connected devices to easily and securely interact with cloud applications and other devices. AWS IoT can support billions of devices and trillions of messages that can be processed and routed safely and reliably to AWS terminal nodes and other devices. The AWS IoT platform enables you to connect devices to AWS services and other devices, secure data and interactions, process and operate on device data, and enable applications to interact with devices even when they are offline.

The first step in using AWS IoT is to connect your device to the AWS IoT Core service. AWS IoT supports multiple access protocols, authentication methods, and authorization policies.

2 Protocols supported by AWS IoT

To connect to the AWS IoT, devices must first interact with the IoT platform using protocols supported by the AWS IoT.

2.1 the HTTP protocol

HTTP is the most common protocol on the Internet. HTTP supports all the authentication and authorization modes mentioned later. However, in the scenario of the Internet of Things, it is also confirmed that the protocol overhead is relatively high. In addition, the mode of ONLY request response in HTTP does not support the subscription mode, which is very important in the scenario of the Internet of Things, and cannot support the delivery of downlink commands.

2.2 the MQTT protocol

MQTT protocol is the most widely used protocol in the Internet of Things, which has the advantages of low protocol overhead and support of all modes such as publish and subscribe.

2.3 the MQTT over WEBSOCKET

MQTT over Websocket is based on THE MQTT protocol on Websocket and uses port 443. It has more advantages in network environment reachability than MQTT, but it is also relatively complex.

3 Authentication and authorization modes supported by the AWS IoT

Before connecting devices to the AWS IoT, devices must be authenticated to verify their legal identities. After being authenticated, you need to authenticate device requests. Only authorized requests are accepted by AWS IoT. The authentication mode varies with the device authentication mode.

AWS IoT supports four authentication modes: IAM identity, Cognito identity, X.509 certificate, and custom authentication.

AWS IoT supports two pre-sales policies: IAM Policy and IoT Policy.

4 Preparations

4.1 Creating an Operating Environment

To create an EC2 server on AWS, create a role to access the EC2

Click “Create new IAM Role”

I’m gonna go ahead and say “Create character”

Select “AWS Products “->”EC2” and click “Next”

Go to “AdministratorAccess”, click “Next”, you can ignore the label, just click “Next”

Enter the name of the specified role, “Create role”, and then go back to the previous page for creating EC2 and refresh the role

Then continue the EC2 configuration until the ec2 is successfully created (details are omitted).

4.2 Configuring the Operating Environment

Remotely log in to the created EC2 server (details are omitted)

Because the operation is carried out through AWS CLI, and CLI has not been installed in EC2, I need to install it by myself. For the installation steps, see docs.aws.amazon.com/zh_cn/cli/l… , the specific installation process omitted, may need to go through several attempts, different operating system versions will have a smile difference, experience it yourself. The CLI is successfully installed as shown in the following figure:

To configure THE AWS CLI, I chose the region of EAST-Virginia, so fill in US-east-1, and the output format is usually JSON.

To prepare the action directory, now create a new action directory awsiotAccessDemo.

Then download the Root CA certificate for aws iot. The ATS endpoint should be selected first for device connection, and the ATS CA file should be used. Since the ATS endpoint is not supported by custom authentication, you need to download the CA certificate of the VeriSign endpoint.

Execute the command wgetwww.amazontrust.com/repository/…

To execute the command wgetwww.symantec.com/content/en/…

To install dependent software packages, run the following command

sudo yum install python-pip jq -y

pip install boto3 –user

pip install AWSIoTPythonSDK –user

pip install flask –user

pip install paho-mqtt –user

And then get the Account Id, execute the command account_id = ` aws STS get – caller identity – | jq. Account | sed ‘s/” / / g’ `

To obtain the IoT Endpoint prefix of the Account, run endpoint_prefix= ‘aws IoT describe-endpoint \

| jq .endpointAddress | sed ‘s/”//g’| awk -F . ‘{print $1}’`

Then configure the obtained Account Id and Endpoint prefix to the environment variable and run the following command:

echo “export account_id=$account_id” >> ~/.bashrc

echo “export endpoint_prefix=$endpoint_prefix” >> ~/.bashrc

4.3 Configuring the Monitoring page for receiving IoT Messages

Log in to the AWS IoT console, click the “Test” entry, and enter the subscription theme “IoTDemo/#”

Click “Subscribe topics” and all subsequent messages received by IoT Core will be displayed below.


5 Use IAM authentication for access

The device access authentication methods supported by AWS have been listed previously. This article will try different authentication methods for device access.

Users can use IAM to provide identity for device authentication. The device must be preset or obtained by other means

Credential, which uses SigV4’s signature algorithm to sign the request. AWS

The IoT service authenticates device identities by signing signatures. After identity authentication, the IoT authenticates requests based on the IAM Policy that the identity has.

The SCHEMATIC diagram of IAM identity authentication is as follows:

5.1 Creating an IAM User, IoTDeviceUser

Enter aws iam create-user –user-name IoTDeviceUser

Create an AccessKey for the IoTDeviceUser user

Enter the aws iam create-access-key \ command

–user-name IoTDeviceUser > /tmp/IoT_demo_access_key

Make a note of the AccessKeyId and SecretAccessKey and enter the following command:

AccessKeyId=`cat /tmp/IoT_demo_access_key| jq .AccessKey.AccessKeyId| sed ‘s/”//g’`

SecretAccessKey=`cat /tmp/IoT_demo_access_key| jq .AccessKey.SecretAccessKey| sed ‘s/”//g’`

Log in to the IAM console to view the newly created IAM user

As you can see from the figure above, the IoTDeviceUser user has been successfully created, but no policy has been specified. In fact, IAM user creation and policy operation can be done on the console, and it is more convenient. Previously, THE CLI was used just to experience the operation.

5.2 HTTP is Used for Device Access

1) Run the following command to create an IAM Policy for the device:

device_IAM_http_policy_arn=`aws iam create-policy \

–policy-name IoTDeviceIAMHttpPolicy \

–policy-document “{

\”Version\”: \”2012-10-17\”,

\”Statement\”: [

{

\”Sid\”: \”VisualEditor0\”,

\”Effect\”: \”Allow\”,

\”Action\”: \”iot:Publish\”,

\”Resource\”: [

\”arn:aws:iot:us-east-1:${account_id}:topic/IoTDemo/device_IAM_http\”

]

}

]

}” | jq .Policy.Arn | sed ‘s/”//g’`


2) Bind the IAM Policy to the IAM user and run the command

aws iam attach-user-policy –user-name IoTDeviceUser \

–policy-arn ${device_IAM_http_policy_arn}

To bind the IAM Policy to IAM users, run the aws IAM attach-user-policy –user-name IoTDeviceUser \ command

–policy-arn ${device_IAM_http_policy_arn}

3) Generate simulation equipment program

Run the following command:

cat <<-EOF > ~/awsIoTAccessDemo/device_IAM_http.py

#! /usr/bin/env python

# -*- coding: utf-8 -*-

import boto3

import argparse

import json

# get parameters


parser = argparse.ArgumentParser(description=’Send data to IoT Core’)

parser.add_argument(‘–data’, default=”data from device_IAM_http”,

help=’data to IoT core topic’)

parser.add_argument(‘–AccessKeyId’, required=True,

help=’AccessKeyId’)

parser.add_argument(‘–SecretAccessKey’, required=True,

help=’SecretAccessKey’)


args = parser.parse_args()

data = args.data

access_key_id = args.AccessKeyId

secret_access_key = args.SecretAccessKey


device_name = ‘device_IAM_http’

region = ‘us-east-1’

topic = “IoTDemo/”+device_name


iot_data_client = boto3.client(‘iot-data’,region_name=region,aws_access_key_id=access_key_id,aws_secret_access_key=secret_access_key)


response = iot_data_client.publish(

topic=topic,

qos=0,

payload=json.dumps({“source”:device_name, “data”:data})

)

EOF

Note: The fields in the code must be filled in correctly.

4) Run the simulation device program

python device_IAM_http.py –data “data from device IAM http.” \

–AccessKeyId ${AccessKeyId} –SecretAccessKey ${SecretAccessKey}

5) Go to the IoT console to check the received message

From the above figure, you can see that the message came from the newly created.py file, and the message content is also the field in the file, which proves that the device sent the message successfully.

In the future, I will continue to try to use different identity authentication and different protocol access.


Reference Documents:

Amazonaws-china.com/cn/blogs/ch…


Original link: http://bbs.sinnet-cloud.cn/forum.php?mod=viewthread&tid=173