AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

AWS IoT Thing Connected Event, Find the thing Name from Event.

0

How I can get the thing name from the AWS IoT Lifecycle event of connected/disconnected. I also want to add filter while listing the lifecycle event such that I can get only the selected thing's event.

#1. One is from client Id must be thing name. (this might not be viable in our usecase) #2 Is there any way I can decode the "principalIdentifier" and find out the thing-name? (at iot rule filter OR at lambda function) #3 is there any better solution for knowing the device online/offline status? (only if connected to IoT Core)

トピック
モノのインターネット (IoT)
タグ
AWS IoT CoreAWS IoT EventsAWS IoT Device Management
言語
English
rePost-User-3618768
質問済み 2年前622ビュー
2回答
2

Hi.

From the lifecycle connect/disconnect event (see below), you can extract the principal identifier, which, if you are authenticating with mTLS, is your certificate id. With the certificate id, you can build your certificate ARN, and use

ListPrincipalThings

(https://docs.aws.amazon.com/iot/latest/apireference/API_ListPrincipalThings.html), and get your thing name.

You can do this in a Lambda function invoked via a rule action, or directly in the select statement of your IoT Rule: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html#iot-func-aws-lambda

{
    "clientId": "xxx",
    "timestamp": xxx,
    "eventType": "connected",
    "sessionIdentifier": "xxx",
    "principalIdentifier": "xxx",
    "ipAddress": "xxx",
    "versionNumber": 0
}

You should ideally keep clientId and thingName aligned, if your solution allows for it.

Hope this helps!

AWS
AlinaD_AWS
回答済み 2年前
  • Greg_B エキスパート
    2年前

    I agree, but add that having your client ID and Thing name match is a best practice: https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html

    #3 is there any better solution for knowing the device online/offline status?

    If you enable fleet indexing, the connectivity status of each Thing is available. So that is a status, instead of an event, but saves you deriving the status yourself. You can then do searches such as connectivity.connected: True. The connectivity status of each Thing is also available in Fleet Hub.

2

In AWS IoT, the creation of a Thing is optional. A device can connect to AWS IoT just with a certificate and an attached IoT policy. Because devices can connect without an attached Thing, only the clientid, and not the thing name, is part of the lifecycle connect/disconnect event.

So to solve your problem you need to restrict using IoT policies what clients can use as a mqtt clientid. For example, the following policy only allows device to connect to AWS IoT if the clientid = Thing name:

{
        "Effect": "Allow",
        "Action": [
          "iot:Connect"
        ],
        "Resource": [
          "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
        ]
 }

If you add custom informations to your device certificates created in AWS IoT using create-certificate-from-csr , you can also use info from the certificate, like the CommanName CN to restrict the clientid by leveraging the AWS IoT X509 policy variables :

At this stage, as you control the clientid value devices set during connection, you can use the clientid in the lifecycle events payload to filter the events.

Hope that helps.

profile pictureAWS
エキスパート
Jan_B
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ