SORACOM Developers

Getting Started

AWS IoT thing provisioning with Krypton

Krypton is a service that provides secure provisioning using SIM authentication platform on SIM and SORACOM cellular core network issued by SORACOM.

In Krypton there are two authentication methods for provisioning:

In this guide, do you authenticate using “SIM authentication with SORACOM Endorse” For the authentication method.


Here are the steps to set up SORACOM Krypton to be able to automatically provision a thing in AWS IoT and provide configuration including certificates to a client device.

  1. Create AWS IoT policy that you will assign to things provisioned through the service
  2. Create AWS IAM credentials that has permission to provision a thing in AWS IoT and generate certificate for it.
  3. Configure SORACOM Krypton

Once the above has finished, a device with SORACOM SIM and Krypton client can automatically provision itself in AWS IoT and connect with MQTTS.

Create AWS IoT policy that you will assign to things provisioned through the service

In order to provision a thing in AWS IoT, there needs to be a policy that defines what can be done by a thing. In this section, we go through the steps to create a policy to be used for a device that we provision via SORACOM Krypton.

Go to AWS IoT core Management console


Click on Policies menu in Secure section of AWS IoT Core management console, and click on Create button.


Edit the policy so that it fits your requirements. You may click on Add statement button to add more policy statements. (You can edit the policy any time, as needed).


Make sure a message saying Successfully created appears. Remember the policy name as it will be necessary to configure in SORACOM Krypton.

Create AWS IAM credentials that has permission to provision a thing in AWS IoT and generate certificates

In order for SORACOM Krypton to create a thing, generate keys and certificate for it, and attach a policy, a set of AWS credentials with a right permission set is required. This section walks you through the steps to create an AWS IAM user, attach a right set of policies and obtain a set of AWS credentials.

Go to AWS IAM management console


Go to Users section and client on Add user


Give a name to the user that we are going to create, allow programmatic access and click Next: Permissions


Select Attach existing policies directly, search AWSIoTThingsRegistration policy and click on the checkbox.  


Click on Create policy add a new policy


Select IoT as the target service, enable a checkbox for CreateKeysAndCertificate and click on Review Policy  


Name policy and click on Create policy


Go back to Add user wizard and search for the policy created in the last step (you may need to click on Refresh button to find it) Click on the checkbox and click Next.


Review the configuration and click on Create User.


Copy both AWS access key ID and secret access key and paste them somewhere you can save the information securely. (Note that AWS secret access key is shown only once at this point. Make sure you have store them as we need to use the value later).   Krypton-awsiot

Configure SORACOM Krypton for AWS IoT

By following the steps in the above, you have collected information you will need to configure SORACOM Krypton. Now we configure a configuration group so that a SIM can use the information to provision a thing in AWS IoT. We first create an entry in SORACOM credentials store and configure the credentials ID and AWS IoT related parameters to a configuration group.

Register AWS credentials to SORACOM credentials store

Go to SORACOM user console and select Security in the operator menu at the right top corner


Go to credentials section and click on Register a credentials set.


Give a name to the credentials set, select AWS credentials as the type, and copy and paste AWS credentials we created in the previous section.


Create a configuration group and put a SIM into the group

Go to groups menu on SORACOM user console


Create a group by clicking on Add button (or select a group if you are going to use existing one)


Click on the group and go into the configuration editor view.


Set AWS IoT information in the SIM group.

Based on the contents set in “Step 1” and “Step 2”, set the group as follows

region: AWS IoT region
credentialsId: credentials ID for calling AWS IoT API
policyName: policy name to assign to the newly created certificate
thingNamePattern: thing name to use if the client does not specify
host: Account specific AWS IoT endpoint host name

Go to Subscriber Management menu of SORACOM user console


Select target SIM(s) and click on Change group in the Actions menu


Select the target group we have configured in the and click Update


Provision a thing and connect a device by using SORACOM Krypton

Now you have finished configuring to use SORACOM Krypton to provision a device by using a SORACOM SIM. Let us now run an example script that bootstraps a device and connect to AWS IoT by MQTTS.

Here we use a sample node.js project that

Once configuration is provisioned and stored in the local directory, the script uses the stored information to connect to AWS IoT.

Download the sample project (nodejs) in the same folder and unpack it. Move to the folder “kryptonExamples” created after decompression and execute the following command.

$ npm install

Next, set up according to Krypton’s authentication method.

Authentication using SORACOM Air cellular line

When using SORACOM Air’s cellular line authentication, execute the following command.

$ ln -sf krypton-iot-cellular krypton-iot

SIM authentication with SORACOM Endorse

When using SIM authentication by SORACOM Endorse, first check the following preconditions.


If the prerequisite is satisfied, please download soracom-krypton.jar from soracom-krypton-client-for-java in the same folder as ‘kryptonExamples’. Then move to “kryptonExamples” and execute the following command.

$ ln -sf krypton-iot-endorse krypton-iot

The setup according to the authentication method is completed with the above.

Create Thing and connect the device

In case of authentication using Sorachom Air’s cellular line, please confirm that you can connect with Air SIM.

Run node iot-bootstrap.js

$ node iot-bootstrap.js

Once you see a message saying connect on the terminal, your device has successfully connected to AWS IoT by using the bootstrap information provided by SORACOM Krypton. You can confirm that by publishing a message to a topic topic_1 on AWS IoT Management console as follows.


Getting Started

SORACOM Air for Cellular

SORACOM Air for Sigfox


SORACOM Canal/Direct/Door





SORACOM Inventory

SORACOM Junction



Service Detail

Developer Tools