Shulou(Shulou.com)05/31 Report--

This article introduces how to access the AWS IoT safely in the AWS Internet of things, the content is very detailed, interested friends can use it for reference, I hope it can be helpful to you.

1 introduction

The AWS IoT solution is a fully hosted cloud platform that allows connected devices to easily and securely interact with cloud applications and other devices. AWS IoT can support billions of devices and trillions of messages, and these messages can be processed and securely and reliably routed to AWS endpoints and other devices. The AWS IoT platform enables you to connect devices to AWS services and other devices, secure data and interactions, process and operate on device data, and support applications to interact with devices even if they are offline.

The first step in using AWS IoT is to connect the device to the AWS IoT Core service. AWS IoT supports multiple access protocols, authentication methods and authorization policies.

2 protocols supported by AWS IoT

To access the AWS IoT, the device first uses the protocols supported by AWS IoT to interact with the IoT platform.

2.1 HTTP protocol

Http protocol is the most common protocol in the Internet. The http protocol supports all authentication and authorization methods mentioned later. However, in the scenario of the Internet of things, it also has a large protocol overhead and other determinations. in addition, the http only request response mode does not support the very important subscription mode in the Internet of things scenario, and can not support the dispatch of downlink commands.

2.2 MQTT protocol

MQTT protocol is the most widely used protocol in the scenario of the Internet of things, which has the advantages of low protocol overhead and supporting all modes such as publish and subscribe.

2.3 MQTT over WEBSOCKET

MQTT over websocket is based on the MQTT protocol on websocket and uses port 443. it has more advantages than MQTT in network environment accessibility, but it is also relatively complex.

3 authentication and authorization methods supported by AWS IoT

When the device is connected to the AWS IoT, it must be authenticated to confirm the legal identity of the device. After passing the authentication, the request of the device needs to be authenticated, and only the authorized request will be accepted by the AWS IoT. Different equipment authentication methods may also have different authorization methods.

There are four authentication methods supported by AWS IoT, namely, IAM identity, Cognito identity, X.509 certificate, and custom authentication.

There are two presales strategies supported by AWS IoT, namely IAM policy and IoT policy.

4 preparation work

4.1 create an operating environment

Create an EC2 server on aws. During the creation process, you need to create a role to access the ec2

Click create a new IAM role

Click "create role"

Select "AWS products"-> "EC2", and click "next"

Select "AdministratorAccess" and click "next". The label can be ignored and click "next" directly.

Enter the specified role name, "create role", and then go back to the interface where you created EC2 before, and refresh the role.

Then continue with the ec2-related configuration until the creation is successful (the specific steps are outlined).

4.2 configure the operating environment

Log in remotely to the created ec2 server (the specific process is brief)

Because the operation is carried out through AWS CLI, and the CLI is not installed in ec2, I need to install it myself. For the installation steps, please see https://docs.aws.amazon.com/zh_cn/cli/latest/userguide/install-linux.html#install-linux-awscli. The specific installation process is omitted, and it may take many attempts. Different operating system versions will smile differently. Experience for yourself. Finally, CLI is installed successfully, as shown below:

Configure AWS CLI, where I chose East America-Virginia, so fill in us-east-1, and the output format is usually json.

To prepare the operation directory, now create a new operation directory awsiotaccessdemo.

Then download aws iot's Root CA certificate. The device connection should give priority to the ATS endpoint and use the CA file of ATS, because the later custom authentication does not support the ATS endpoint, so you also need to download the CA certificate of the VeriSign endpoint.

Execute the command wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

Then execute the command wget https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem

To install the dependent package, execute the following command

Sudo yum install python-pip jq-y

Pip install boto3-user

Pip install AWSIoTPythonSDK-user

Pip install flask-user

Pip install paho-mqtt-user

Then get Account Id and execute the command account_id= `aws sts get-caller-identity | jq .account | sed's / "/ / g``

Get the IoT Endpoint prefix of Account and execute the command endpoint_prefix= `aws iot describe-endpoint\

| | jq .endpointAddress | sed's / "/ / g' | awk-F.'{print $1}'`|

Then configure the Account Id and Endpoint prefixes you just obtained into the environment variables, and execute the following command:

Echo "export account_id=$account_id" >

Echo "export endpoint_prefix=$endpoint_prefix" > > ~ / .bashrc

4.3Configuring the IoT message receiving monitoring page

Log in to the AWS IoT console, click the "Test" entry, and enter the subscription topic "IoTDemo/#"

Click "subscribe to topic" and all subsequent messages received by IoT Core will be displayed below.

5 access using IAM authentication

The device access authentication methods supported by aws have been listed earlier, and this article will try to access with different authentication methods.

Users can use IAM to provide identity to authenticate the device. The device needs to be preset or obtain the security by other means

Credential, signing the request using SigV4's signature algorithm. AWS

The IoT service authenticates the identity of the device through signature. After identity authentication, IoT authenticates the request according to the IAM Policy owned by the identity.

The schematic diagram of IAM authentication method is as follows:

Create an IAM user, IoTDeviceUser

Enter the command aws iam create-user-- user-name IoTDeviceUser

Create an AccessKey for IoTDeviceUser users

Enter the command aws iam create-access-key\

-- user-name IoTDeviceUser > / tmp/IoT_demo_access_key

Record AccessKeyId and SecretAccessKey and enter the following command:

AccessKeyId= `cat / tmp/IoT_demo_access_key | jq .AccessKey.AccessKeyId | sed's / "/ / g``

SecretAccessKey= `cat / tmp/IoT_demo_access_key | jq .AccessKey.roomAccessKey | sed's / "/ / g``

Log in to the IAM console to view the IAM user you just created

You can see from the figure above that the IoTDeviceUser user has been created successfully, but no policy has been specified. In fact, IAM user creation and policy operations can be carried out in the console, and more convenient, the previous use of CLI is just to experience the operation.

5.2 device access using HTTP protocol

1) create an IAM Policy for the device and enter the command:

Device_IAM_http_policy_arn= `aws iam create-policy\

-- policy-name IoTDeviceIAMHttpPolicy\

-- policy-document "{

\ "Version\":\ "2012-10-17\"

\ "Statement\": [

{

\ "Sid\":\ "VisualEditor0\"

\ "Effect\":\ "Allow\"

\ "Action\":\ "iot:Publish\"

\ "Resource\": [

\ "arn:aws:iot:us-east-1:$ {account_id}: topic/IoTDemo/device_IAM_http\"

]

}

]

} ">

2) bind IAM Policy to IAM user and execute the command

Aws iam attach-user-policy-- user-name IoTDeviceUser\

-- policy-arn ${device_IAM_http_policy_arn}

Bind IAM Policy to the IAM user and execute the command aws iam attach-user-policy-- user-name IoTDeviceUser\

-- policy-arn ${device_IAM_http_policy_arn}

3) generate simulation device program

Execute the following command:

Cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.