Using one Certificate attached to a Thing with multiple ClientId

0

I have a device which consists of 2 modules: one High-Power and one Low-Power. High-Power module is connected to the Iot, but if nothing is happening, it goes to ac stand-by mode and the Low-Power module wakes up and connects to IoT. High-power module is using ${thingName} as clientId in MQTT client and I would like Low-Power module to use the same certificate as High-Power but different clientId. For High-Power I have a IoT iot:Connect policy with resource arn:aws:iot:REGION:ACCOUNT_ID:client/${iot:Connection.Thing.ThingName} and it works fine. For Low-Power I'd like to use clientId ${thingName}-low. I tried setting up the iot:Connect policy as follows: arn:aws:iot:REGION:ACCOUNT_ID:client/${iot:ClientId} but client cannot connect. If a Certificate is attached to a Thing does it mean I can use only clientId == ${thingName}?

EDIT: When I attach the connect policy to the Device-Group - Lower-Power module CANNOT connect. When I attach the same policy directly to the Certificate, it CAN connect

asked 2 years ago589 views
1 Answer
0
Accepted Answer

Hi micro-jumbo.

EDIT: When I attach the connect policy to the Device-Group - Lower-Power module CANNOT connect. When I attach the same policy directly to the Certificate, it CAN connect

That's because there's no Thing name that matches the client ID you use for the Low-Power module. Hence when you connect with the Low-Power client ID, there's no Thing group membership found. And hence it does not get the Thing group policy applied.

Stepping back from the policy detail for a moment, a couple of points:

  1. It seems like the High-Power and Low-Power modules never connect simultaneously. Is that right? In terms of IoT Core connectivity, they only need different client IDs if they would sometimes be connected at the same time.
  2. Would you perform independent device management of the High and Low Power modules? For example, send a job (or OTA) to just Low Power modules? If so, you would likely benefit from each High and Low Power module each being their own discrete Thing in the registry.

In both situations above you would no longer have two different client IDs for the one Thing.

If a Certificate is attached to a Thing does it mean I can use only clientId == ${thingName}?

If the only policy resource for Connection is ${iot:Connection.Thing.ThingName}, then yes. Otherwise no.

profile pictureAWS
EXPERT
Greg_B
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions