Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using one Certificate attached to a Thing with multiple ClientId

0

I have a device which consists of 2 modules: one High-Power and one Low-Power. High-Power module is connected to the Iot, but if nothing is happening, it goes to ac stand-by mode and the Low-Power module wakes up and connects to IoT. High-power module is using ${thingName} as clientId in MQTT client and I would like Low-Power module to use the same certificate as High-Power but different clientId. For High-Power I have a IoT iot:Connect policy with resource arn:aws:iot:REGION:ACCOUNT_ID:client/${iot:Connection.Thing.ThingName} and it works fine. For Low-Power I'd like to use clientId ${thingName}-low. I tried setting up the iot:Connect policy as follows: arn:aws:iot:REGION:ACCOUNT_ID:client/${iot:ClientId} but client cannot connect. If a Certificate is attached to a Thing does it mean I can use only clientId == ${thingName}?

EDIT: When I attach the connect policy to the Device-Group - Lower-Power module CANNOT connect. When I attach the same policy directly to the Certificate, it CAN connect

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
asked 4 years ago885 views
1 Answer
0
Accepted Answer

UPDATE AUG 6 2025: Exclusive thing association was introduced in Nov 2024. This allows you to use the thing policy variable even when the client ID does not match the thing name. Accordingly, you can open multiple concurrent connections, each with a different client ID, using one certificate attached to one thing.

ORIGINAL ANSWER Hi micro-jumbo.

EDIT: When I attach the connect policy to the Device-Group - Lower-Power module CANNOT connect. When I attach the same policy directly to the Certificate, it CAN connect

That's because there's no Thing name that matches the client ID you use for the Low-Power module. Hence when you connect with the Low-Power client ID, there's no Thing group membership found. And hence it does not get the Thing group policy applied.

Stepping back from the policy detail for a moment, a couple of points:

  1. It seems like the High-Power and Low-Power modules never connect simultaneously. Is that right? In terms of IoT Core connectivity, they only need different client IDs if they would sometimes be connected at the same time.
  2. Would you perform independent device management of the High and Low Power modules? For example, send a job (or OTA) to just Low Power modules? If so, you would likely benefit from each High and Low Power module each being their own discrete Thing in the registry.

In both situations above you would no longer have two different client IDs for the one Thing.

If a Certificate is attached to a Thing does it mean I can use only clientId == ${thingName}?

If the only policy resource for Connection is ${iot:Connection.Thing.ThingName}, then yes. Otherwise no.

AWS
EXPERT
answered 4 years ago
  • Greg EXPERT
    4 months ago

    Answer updated to mention exclusive thing association, a feature that was introduced after this question was answered.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content