- Newest
- Most votes
- Most comments
Hi,
I understand that you need to work with AWS SDK.
So, you have to call the AWS service endpoints via REST directly from the language (C in your case). The hard part is then to produce a proper SigV4 for your request so that they are properly authenticated and checked.
This repo gives you an implementation of SigV4 in C: https://github.com/sidbai/aws-sigv4-c/blob/master/aws_sigv4/lib/aws_sigv4.c
If you combine the above with your usual way of coding REST requests in C to match the AWS service api of describe-service (see https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DescribeEndpoint.html) which has only one parameter, you will be able to call this API from C without SDK.
Best,
Didier
Hi. The embedded C SDK is an AWS IoT Device SDK: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sdks.html. IoT Device SDKs are designed to help you build an IoT device. In particular, to use MQTT to interact with the AWS IoT Core broker (data endpoint, and particularly the Data-ATS endpoint).
The DescribeEndpoint and CreateCertificateFromCsr operations are from the IoT control plane: https://docs.aws.amazon.com/iot/latest/apireference/API_Operations_AWS_IoT.html. This is a RESTful HTTP API. An IoT device would not normally interact with this API, and hence the IoT Device SDKs don't support it. To interact with AWS HTTP APIs, you would typically use one of the AWS SDKs (distinct from IoT Device SDKs).
In the case of the embedded C IoT Device SDK in particular, it's intended to be used on resource-constrained micro-controller devices. It would be very unusual for that kind of device to interact with the IoT control plane. Such devices are normally provisioned with the endpoint and certificate during the manufacturing process, rather than retrieving these from the HTTP API. There may instead be an external programming station on the manufacturing line that calls into the control plane, and then injects the endpoint and certificate into the device, by wire. In other words, it's not the device that should make these calls.
This provisioning whitepaper may help: https://docs.aws.amazon.com/whitepapers/latest/device-manufacturing-provisioning/device-manufacturing-provisioning.html
One provisioning option is fleet provisioning. In that case, the device will use MQTT to call CreateCertificateFromCsr: https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html. The C-SDK includes a fleet provisioning library: https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/main/libraries/aws. And a demo: https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/main/demos/fleet_provisioning
For certainty on the endpoint, you can use custom endpoints to create your own domain: https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html
Thanks for your detailed explanation. Please forgive my lack of understanding. I've been programming toasters for far too long.
I am using the aws-iot-device-sdk-embedded-C project fleet_provisioning_with_csr_demo. This works beautifully with one minor detail: the fixed value for AWS_IOT_ENDPOINT. Our use case is not unique (IMO). We're trying to make the production of a smart toaster not require the provisioning step you mentioned. The toasters can be shipped to and plugged in anywhere in the world. The one-time startup script is set up to retrieve permanent certificate and key (with a hardcoded Endpoint). Can that endpoint be generic for that initial provisioning - then be obtained after claim certificate process?Hi. Do you mean that toasters should connect to a different regional endpoint in your account, depending on where in the world they are unboxed? If so, the custom domain feature I mentioned should help. You can have all your toasters programmed to connect to mytoasters.com, and use Route53 to route to the correct regional endpoint: https://aws.amazon.com/blogs/iot/automate-global-device-provisioning-with-aws-iot-core-and-amazon-route-53/. You'll still need to provision the fleet provisioning claim certificates in the factory, using a different claim certificate for different batches.
Relevant content
- asked 3 years ago
AWS OFFICIALUpdated 2 years ago
Seems like a chicken and egg problem. The device is new and using the create-certificate-with-csr, and has no endpoint to connect to, and I need one to get the describe-endpoint to tell me what it is. Maybe an example on how to make the REST call?