AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS IoT Thing Connected Event, Find the thing Name from Event.

0

How I can get the thing name from the AWS IoT Lifecycle event of connected/disconnected. I also want to add filter while listing the lifecycle event such that I can get only the selected thing's event.

#1. One is from client Id must be thing name. (this might not be viable in our usecase) #2 Is there any way I can decode the "principalIdentifier" and find out the thing-name? (at iot rule filter OR at lambda function) #3 is there any better solution for knowing the device online/offline status? (only if connected to IoT Core)

주제
사물 인터넷(IoT)
태그
AWS IoT CoreAWS IoT EventsAWS IoT Device Management
언어
English
rePost-User-3618768
질문됨 2년 전624회 조회
2개 답변
2

Hi.

From the lifecycle connect/disconnect event (see below), you can extract the principal identifier, which, if you are authenticating with mTLS, is your certificate id. With the certificate id, you can build your certificate ARN, and use

ListPrincipalThings

(https://docs.aws.amazon.com/iot/latest/apireference/API_ListPrincipalThings.html), and get your thing name.

You can do this in a Lambda function invoked via a rule action, or directly in the select statement of your IoT Rule: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html#iot-func-aws-lambda

{
    "clientId": "xxx",
    "timestamp": xxx,
    "eventType": "connected",
    "sessionIdentifier": "xxx",
    "principalIdentifier": "xxx",
    "ipAddress": "xxx",
    "versionNumber": 0
}

You should ideally keep clientId and thingName aligned, if your solution allows for it.

Hope this helps!

AWS
AlinaD_AWS
답변함 2년 전
  • Greg_B 전문가
    2년 전

    I agree, but add that having your client ID and Thing name match is a best practice: https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html

    #3 is there any better solution for knowing the device online/offline status?

    If you enable fleet indexing, the connectivity status of each Thing is available. So that is a status, instead of an event, but saves you deriving the status yourself. You can then do searches such as connectivity.connected: True. The connectivity status of each Thing is also available in Fleet Hub.

2

In AWS IoT, the creation of a Thing is optional. A device can connect to AWS IoT just with a certificate and an attached IoT policy. Because devices can connect without an attached Thing, only the clientid, and not the thing name, is part of the lifecycle connect/disconnect event.

So to solve your problem you need to restrict using IoT policies what clients can use as a mqtt clientid. For example, the following policy only allows device to connect to AWS IoT if the clientid = Thing name:

{
        "Effect": "Allow",
        "Action": [
          "iot:Connect"
        ],
        "Resource": [
          "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
        ]
 }

If you add custom informations to your device certificates created in AWS IoT using create-certificate-from-csr , you can also use info from the certificate, like the CommanName CN to restrict the clientid by leveraging the AWS IoT X509 policy variables :

At this stage, as you control the clientid value devices set during connection, you can use the clientid in the lifecycle events payload to filter the events.

Hope that helps.

profile pictureAWS
전문가
Jan_B
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠