In this session, you will learn how to build real-time mobile and web applications that interact over WebSockets. We will dig into how AWS IoT supports MQTT over the WebSocket protocol to enable browser-based and remote applications to send and receive data from AWS IoT connected devices using AWS credentials. Furthermore, we will show you how to use AWS IoT Device SDKs to connect your device to AWS IoT when making a WebSocket connection.
AWS DevDay San Francisco, June 21, 2016
Presenter: David Yanacek, Principal Engineer, AWS IoT
5. Publish / Subscribe
Standard Protocol Support
MQTT, HTTP, WebSockets
Long Lived Connections
Receive signals from the cloud
Secure by Default
Connect securely via X509 Certs
and TLS 1.2 Client Mutual Auth
29. // Connect to AWS IoT
const device = deviceModule({
region: ‘us-west-2’,
protocol: ‘wss’,
port: 443,
host: ‘YOURENDPOINT.data.iot.us-west-2.amazonaws.com’ });
// Subscribe to your own topic
device.subscribe('topic_1');
// Publish a message to the other topic every second
var timeout = setInterval(function() {
device.publish('topic_2', JSON.stringify({
foo: ‘bar’
}));
}, 1000);
// Print the messages you receive
device.on('message', function(topic, payload) {
console.log('message', topic, payload.toString());
});
30. Outline
• MQTT recap
• WebSockets: what and why?
• Demo!
• Device SDK examples and code
• Authentication, authorization, and WebSockets
32. Authentication for devices
Device credentials
• Private key (authenticate the device)
• Certificate (register the device with IoT)
• Root CA cert (authenticate IoT)
37. Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT
38. Choosing authenticated vs unauthenticated
Do you want
information about
the end-user?
Do you want to let
only certain users
use your app?
Use
authenticated
identities
Use either
authenticated or
unauthenticated
Do you want to
access IoT without
the user signing in?
Use
unauthenticated
identities
Yes
Yes
No
No
No Yes
41. Attaching policy
• IAM User (Your AWS Console admin users)
• IAM EC2 Instance Role (Your EC2-based apps)
• IAM Lambda Role (Your Lambda-based apps)
• IAM Cognito Role (Cognito end-users)
• IoT Principal (Device certificates, Cognito users)
48. Policy variables for Cognito users
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}"
]
}
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID'
});
AWS.config.credentials.get(function(err)) {
if (err) { return; }
var cognitoId = AWS.config.credentials.identityId;
mqttClient.connect(...);
mqttClient.publish('foo/' + cognitoId);
});
permissions
role
49. Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT
50. Fine-grained access control
SUB home/456_iot_ln
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
SUB home/123_aws_ave/#
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck
51. Fine-grained access control
PUB home/123_aws_ave/door_1/open
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
SUB home/123_aws_ave/#
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck
53. Unauthenticated access for end-users
Amazon
Cognito
AWS IAM
permissions
role
Administrator
Create, Attach
Policy for Alice,
Bob, and Chuck
Create Identity Pool
Create Role
IoT
policy
IoT
policy
IoT
policy
54. Chicken and egg: when to attach the policy?
• Users cannot connect until they have a policy in IoT
• Policy cannot be attached without knowing the user’s
CognitoId
Solution: attach a policy when the user first connects!
57. What permissions to attach?
• Shape Up! demo: everyone gets “user” access
• Only manually registered users get “control” access
• Start with minimal permissions
58. Outline
• MQTT recap
• WebSockets: what and why?
• Demo!
• Device SDK examples and code
• Authentication, authorization, and WebSockets
59. Wrapping up
• WebSockets makes IoT interactive
• Authentication for humans is different than devices
• Use Lambda to drive user registration, pairing
• Getting started with the AWS IoT Device SDK is easy
• AWS IoT WebSockets, Rules Engine, Shadow and
Lambda makes server-less applications easy