AWS IoT thing provisioning with Krypton
Krypton is a service that provides secure provisioning using SIM authentication platform on SIM and SORACOM cellular core network issued by SORACOM.
In Krypton there are two authentication methods for provisioning:
- Authentication using Sorachom Air’s cellular line
- SIM authentication by SORACOM Endorse
In this guide, do you authenticate using “SIM authentication with SORACOM Endorse” For the authentication method.
Here are the steps to set up SORACOM Krypton to be able to automatically provision a thing in AWS IoT and provide configuration including certificates to a client device.
- Create AWS IoT policy that you will assign to things provisioned through the service
- Create AWS IAM credentials that has permission to provision a thing in AWS IoT and generate certificate for it.
- Configure SORACOM Krypton
Once the above has finished, a device with SORACOM SIM and Krypton client can automatically provision itself in AWS IoT and connect with MQTTS.
In order to provision a thing in AWS IoT, there needs to be a policy that defines what can be done by a thing. In this section, we go through the steps to create a policy to be used for a device that we provision via SORACOM Krypton.
Go to AWS IoT core Management console
Policies menu in
Secure section of AWS IoT Core management console, and click on
Edit the policy so that it fits your requirements. You may click on
Add statement button to add more policy statements. (You can edit the policy any time, as needed).
Make sure a message saying
Successfully created appears. Remember the policy name as it will be necessary to configure in SORACOM Krypton.
Create AWS IAM credentials that has permission to provision a thing in AWS IoT and generate certificates
In order for SORACOM Krypton to create a thing, generate keys and certificate for it, and attach a policy, a set of AWS credentials with a right permission set is required. This section walks you through the steps to create an AWS IAM user, attach a right set of policies and obtain a set of AWS credentials.
Go to AWS IAM management console
Users section and client on
Give a name to the user that we are going to create, allow programmatic access and click
Attach existing policies directly, search
AWSIoTThingsRegistration policy and click on the checkbox.
Create policy add a new policy
IoT as the target service, enable a checkbox for
CreateKeysAndCertificate and click on
Name policy and click on
Go back to
Add user wizard and search for the policy created in the last step (you may need to click on
Refresh button to find it) Click on the checkbox and click
Review the configuration and click on
Copy both AWS access key ID and secret access key and paste them somewhere you can save the information securely. (Note that AWS secret access key is shown only once at this point. Make sure you have store them as we need to use the value later).
By following the steps in the above, you have collected information you will need to configure SORACOM Krypton. Now we configure a configuration group so that a SIM can use the information to provision a thing in AWS IoT. We first create an entry in SORACOM credentials store and configure the credentials ID and AWS IoT related parameters to a configuration group.
Register AWS credentials to SORACOM credentials store
Go to SORACOM user console and select
Security in the operator menu at the right top corner
Go to credentials section and click on
Register a credentials set.
Give a name to the credentials set, select
AWS credentials as the type, and copy and paste AWS credentials we created in the previous section.
Create a configuration group and put a SIM into the group
Go to groups menu on SORACOM user console
Create a group by clicking on
Add button (or select a group if you are going to use existing one)
Click on the group and go into the configuration editor view.
Set AWS IoT information in the SIM group.
Based on the contents set in “Step 1” and “Step 2”, set the group as follows
region: AWS IoT region credentialsId: credentials ID for calling AWS IoT API policyName: policy name to assign to the newly created certificate thingNamePattern: thing name to use if the client does not specify host: Account specific AWS IoT endpoint host name
Subscriber Management menu of SORACOM user console
Select target SIM(s) and click on
Change group in the
Select the target group we have configured in the and click
Provision a thing and connect a device by using SORACOM Krypton
Now you have finished configuring to use SORACOM Krypton to provision a device by using a SORACOM SIM. Let us now run an example script that bootstraps a device and connect to AWS IoT by MQTTS.
Here we use a sample node.js project that
- uses SIM to authenticate the device to SORACOM Krypton, download configuration parameter for AWS IoT including device certificate and key, and create a directory containing configuration files at
- then uses the configuration files to connect to AWS IoT MQTTS endpoint.
Once configuration is provisioned and stored in the local directory, the script uses the stored information to connect to AWS IoT.
Download the sample project (nodejs) in the same folder and unpack it. Move to the folder “kryptonExamples” created after decompression and execute the following command.
$ npm install
Next, set up according to Krypton’s authentication method.
Authentication using SORACOM Air cellular line
When using SORACOM Air’s cellular line authentication, execute the following command.
$ ln -sf krypton-iot-cellular krypton-iot
SIM authentication with SORACOM Endorse
When using SIM authentication by SORACOM Endorse, first check the following preconditions.
- Your device has SORACOM Global SIM inserted
- The following softwares are installed:
- Java 7 or higher
- node.js 8.10 or higher
If the prerequisite is satisfied, please download
soracom-krypton.jar from soracom-krypton-client-for-java in the same folder as ‘kryptonExamples’.
Then move to “kryptonExamples” and execute the following command.
$ ln -sf krypton-iot-endorse krypton-iot
The setup according to the authentication method is completed with the above.
Create Thing and connect the device
In case of authentication using Sorachom Air’s cellular line, please confirm that you can connect with Air SIM.
$ node iot-bootstrap.js
Once you see a message saying
connect on the terminal, your device has successfully connected to AWS IoT by using the bootstrap information provided by SORACOM Krypton. You can confirm that by publishing a message to a topic
topic_1 on AWS IoT Management console as follows.