AWS IoT Connector

IoTIFY connectors make it extremely easy to manage Things enrollment, certificate provisioning and testing. Learn more about how to deploy thousands of virtual IoT devices in AWS IoT Core.

Introduction

AWS IoT is one of the most popular IoT platform out there. With its native integration with large set of AWS IoT services, it’s one of the most comprehensive offering amongst IoT platforms available today.
Security is built-in from the ground up in AWS, and therefore, its no surprise that the preferred method of connecting IoT devices to AWS IoT is MQTTS with certificate based authentication. AWS strongly recommends to use individual certificates for each devices, which also makes the testing and prototyping complicated for large set of devices. Not anymore.

Introducing AWS IoTIFY connector

AWS IoT connector from IoTIFY simplifies the entire process of Things creation, certificate enrollment and template creation. All you need is a IAM credential and you are good to deploy and test as many virtual IoT devices as you need in AWS IoT platform.

With IoTIFY Connector for AWS, managing and deploying certificates for your virtual IoT devies becomes a breeze. All you need is to pass the right IAM credentials and IoTIFY will automatically manage things creation, provisioning, certificate enrollment, policy attachment and all other steps required to create a functional IoT simulation environment. Here’s how it works:-

Step 1. Specification

Click on the AWS Connector icon in Network templates and you will see the AWS Connector Wizard. In order to provision AWS IoT devices we need to specify AWS IoT IAM credentials.
In order to generate IAM credentials, go to AWS Account Security page and add a new user named iotify as follows:-

The user should only have a programmatic access. Now go to the next step

Click on the top level filter Attach Existing Policy and type iot in the search box to find AWSIoTFullAccess Policy. Check the box next to this policy and click Review.

In the review tab, click Create user and a new IAM user will be created for the IoTIFY.

Important: Please save the IAM user’s Access key ID and Secret access key and store it somewhere safe. You won’t be able to retrieve secret key after this step.

Once you have AWS Access Key ID, Secret let’s go back to IOTIFY Connector page and provide the credentials there. As a next step you need to choose one of the deployment region and specify the number of devices to provision.

Once ready, click the deploy button and off you go!

Step 2. Provisioning

Upon receiving the request to provision AWS IoT devices in the specified region, IoTIFY will do following steps:-

  1. IoTIFY will create a new device type iotify_type in the AWS IoT region.

  2. IoTIFY will create a new Thing group iotify in the backend. This group will be associated with all virtual devices.

  3. A new certificate policy IOTIFY_AUTOMATED_POLICY will be created which will be subsequently attached to all newly created certificates.

  4. A new AWS IoT thing will be created with the name iotify_[deviceId] and will have a device certificate enrolled and attached to it.

  5. The certificate’s private key for each new thing will be stored in IoTIFY glob storage with the key pattern aws_iotify_%d_key. The certificate itself will be stored as aws_iotify_%d_cert, where %d will be the client index, starting from 0.

  6. A sample template will be generated which could be used to simulate all of these newly provisioned AWS IoT devices.

Step 3. Template

A new template will be automatically created by the connector Wizard. Once the wizard finishes deploying IoT things, you will be redirected to the newly created template.
This template has couple of clever tricks to enable multiple individual AWS IoT object being simulated in a single template.

Here is how the template works -
The template has {{state.__$key}} macro in the place of the Private key in the Authentication Tab. Similarly {{state.__$cert}} is used for certificate. What does it mean?
It means that the value of private key and certificate will be dynamically populated once the template starts running. How? The trick is in the init function.

{
//passed parameters to this function are:
//state: current object state, passed as reference
//You can initialize the state here. E.g. create a unique GUID for the client
state.__$key = glob.get( "aws_iotify_"+client()+"_key");
state.__$cert = glob.get( "aws_iotify_"+client()+"_cert");
//no need for return
}

The init function will populate the certificate and key fields from the glob storage. Since each certificate and key is unique, a client() function is used to retrieve the current index of the client and populate the specific data for it.

The use of __$ pattern ensures that key and certificate objects are not displayed in the state object in the result. If you would like to see the values, you could change the patten with something else.

Now since we know how the template does it magic trick, rest of the part becomes very easy. Simplay change the message function and send whatever data you want to send to the cloud backend.

Cleaning up

In order to delete the provisioned certificates, simply go to connector for AWS and provide the credentials and number of devices to cleanup. Instead of hitting deploy button, hit the cleanup button on the right hand side.

Note that the cleanup function will only delete the specified number of certificates and any associated things with those certificates. You need to manually delete thing type and policy at the moment.

To delete the certificate stored in glob, simply run a template with following message body

{
glob.delete( "aws_iotify_"+client()+"_key");
glob.delete( "aws_iotify_"+client()+"_cert");
}