Fleet Provisioning - Provisioning Devices to AWS IoT in Advance
Introduction
What is Fleet Provisioning?
Fleet Provisioning can be divided into Provisioning by Claim and Provisioning by Trusted User.
Provisioning by Claim
Devices can use embedded provisioning claim certificates (special-purpose certificates) and private keys for manufacturing. If these certificates are registered with AWS IoT, the service can exchange them for a unique device certificate that the device can use for general operations.
Provisioning by Trusted User
In many cases, when trusted users such as end-users or installation technicians set up devices at their deployment locations using a mobile application for the first time, the devices connect to AWS IoT.
This article mainly focuses on the Provisioning by Claim method for fleet provisioning.
Provisioning by Claim Process
Configuration - AWS IoT Core
Create Certificates and Public/Private Key Pairs
Generate certificates for provisioning
- You can do this on the AWS IoT Console under Secure >> Certificates >> Add Certificates >> Create Certificates
- Next, a corresponding screen will appear, and you need to download the certificate and private key to your local machine. Additionally, for convenience, please download the Root CA certificate to your local machine.
Create Provisioning Template and Attach Policy
- Create Provisioning Template
- Choose Provisioning devices with claim certificates, and then click Next
- Create an IoT service role by clicking Create Role
- After entering the Role Name, click View
- Attach policy
- Search and attach the AWS managed policy
AWSIoTThingsRegistration
- Claim certificate policy, click Create IoT Policy
- Enter the Policy Name and paste the sample JSON
Sample IoT Policy
1 | { |
- Check the certificate
Once completed, you can proceed to set up provisioning in advance.
Configure Pre-provisioning
The template example for fleet provisioning can be found at:
1 | { |
The pre-provisioning hook is a Lambda function that validates the parameters passed from the device before provisioning. This Lambda function must exist in your account to provision devices.
This part is set up to perform actions before configuring devices. For example, check devices against a known device database to prevent unauthorized devices from connecting to your account.
- Choose Create a Lambda function
Sample provisioning hook where you validate the request before activating a certificate
1 | import json |
Hook Input
1 | { |
When registering a device with AWS IoT, this object is sent to the Lambda function by AWS IoT.
The parameters
object passed to the Lambda function contains attributes from the parameters argument passed in the RegisterThing request payload.
Configuration - Device Side
The downloaded Claim certificate and private key need to be moved to the device.
You can use commands like scp
to copy files from your local machine to your device via SSH.
Additionally, you will need to install the desired IoT Device SDK on the device.
AWS IoT Device SDKs, Mobile SDKs, and AWS IoT Device Client - - https://docs.aws.amazon.com/zh_tw/iot/latest/developerguide/iot-sdks.html
Currently, Device SDK supports writing code in C++, javascript, Java, Python, Embedded-C languages, depending on your requirements and scenarios.
Using AWS IoT Device SDK
This article mainly uses the Python IoT Device SDKv2.
To install the SDK on the device, first ensure that the device has git
, Python3
, and Python3-pip
packages.
1 | git clone https://github.com/aws/aws-iot-device-sdk-python-v2.git |
Initialize the package
1 | # (Optional) Setup the version number of your local build. The default version |
In aws-iot-device-sdk-python-v2/samples/fleetprovisioning.py
, you can set up the Provisioning Template.
Afterwards, you need to specify on your device:
AWS IoT Endpoint
Claim Certificate
Private Key
to connect to AWS IoT Core.
You can find the script’s operating steps here:
https://github.com/aws/aws-iot-device-sdk-python-v2/blob/main/samples/fleetprovisioning.md
1 | python3 fleetprovisioning.py --endpoint <endpoint> --cert <file> --key <file> --template_name <name> --template_parameters '{\"SerialNumber\":\"1\",\"DeviceLocation\":\"Seattle\"}' --csr <path to csr file> |
Reference Documents
[+] https://github.com/aws-samples/aws-iot-fleet-provisioning
[+] https://docs.aws.amazon.com/zh_tw/iot/latest/developerguide/iot-provision.html
[+] https://docs.aws.amazon.com/zh_tw/iot/latest/developerguide/provision-wo-cert.html#claim-based
[+] https://aws.amazon.com/tw/blogs/iot/how-to-automate-onboarding-of-iot-devices-to-aws-iot-core-at-scale-with-fleet-provisioning/