Need advice for using Cognito principal as a Thing in AWS IoT

Question

I'm connecting a BLE-device via a mobile App to AWS IoT. The mobile app will be the MQTT client and forward message between MQTT and certain BLE characteristic.

I need to use AWS IoT Jobs (which has a dependency on Things) to download/cache firmware onto App and then use BLE client server communication to do the actual 'local' firmware upgrade.

my question is how to map my App (user login and performed local ble device authentication) as a AWS IoT Thing, I see Thing can only support two principal: certificate and Cognito id, I know very well about the first one and definitely do not want go to that direction, I'm not familiar with Cognito id, sounds doable but I did some search on internet and couldn't find any information about details of use Cognito id to connect AWS IoT seen as a Thing.

does this make sense, can you give me more details?

Aaron Rose · Answer

### Greeting  
Hi Swordman,  
Thank you for sharing your detailed question! It’s clear you’ve been exploring how to effectively connect your BLE device to AWS IoT Core using Cognito and IoT Jobs. Let’s dive into your specific situation and work through a solution together. 😊

---

### Clarifying the Issue  
You’re working on a mobile app that connects a BLE device to AWS IoT Core. The app serves as the MQTT client and bridges BLE characteristics. Additionally, you aim to leverage AWS IoT Jobs for firmware updates while handling local BLE communication for the actual upgrades.

The challenge is mapping your mobile app’s user (authenticated through Cognito) to an AWS IoT Thing, given the dependency on certificate-based or Cognito-based principals for IoT Things. You’re not familiar with using Cognito IDs and need clarification on whether they can act as IoT Things and, if so, how this setup would look.

You’ve done some research but found limited guidance on this approach. Let’s explore how to resolve this while staying aligned with your constraints and goals.

---

### Key Terms  
- **AWS IoT Core**: A managed cloud service for securely connecting IoT devices to AWS.  
- **AWS IoT Jobs**: A feature to manage device operations, like firmware updates, over IoT Core.  
- **AWS IoT Thing**: A digital representation of a physical device in AWS IoT.  
- **Amazon Cognito**: A service for managing user authentication and authorization.  
- **Principal**: An entity (certificate, Cognito ID, etc.) that AWS IoT uses to identify and authenticate actions.

---

### The Solution (Our Recipe)  
**Steps at a Glance:**  
1. Set up an IoT Thing and attach a Cognito principal.  
2. Enable MQTT communication between the app and IoT Core.  
3. Configure IoT Jobs to send firmware updates to the app.  
4. Use local BLE communication for device updates.  
5. Add observability to track and debug potential issues.

---

**Step-by-Step Guide:**  
1. **Set up an IoT Thing and attach a Cognito principal:**  
   - In the AWS IoT Console, create an IoT Thing to represent your device.  
   - Attach a Cognito Identity to the Thing by enabling the Amazon Cognito identity pool in the IoT Core settings. This allows the mobile app user (authenticated through Cognito) to act as a principal.

---

2. **Enable MQTT communication between the app and IoT Core:**  
   - Configure the MQTT client in your mobile app to use Cognito Identity credentials.  
   - Grant the Cognito Identity scoped permissions in AWS IAM to publish/subscribe to IoT topics. Use a policy like:  
     ```json
     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Action": [
                     "iot:Connect",
                     "iot:Publish",
                     "iot:Subscribe",
                     "iot:Receive"
                 ],
                 "Resource": "arn:aws:iot:::topic//update"
             }
         ]
     }
     ```  
   - Replace ``, ``, and `` with your AWS region, account ID, and IoT Thing name.

---

3. **Configure IoT Jobs to send firmware updates to the app:**  
   - Create a new IoT Job with the firmware update payload.  
   - Use the IoT Thing’s logical ID to target the update.  
   - The mobile app will subscribe to the relevant IoT topic and receive the job instructions.

---

4. **Use local BLE communication for device updates:**  
   - Once the firmware payload is downloaded via IoT Jobs, use the app’s BLE communication stack to send it to the connected BLE device.  
   - Ensure the app verifies the firmware integrity before pushing updates to the device.

---

5. **Add observability to track and debug potential issues:**  
   - Enable AWS IoT logging in the IoT Core settings to track MQTT message flow and troubleshoot permissions issues.  
   - Use CloudWatch Metrics to monitor the IoT Jobs process and BLE communication events for anomalies or delays.

---

### Closing Thoughts  
Using Cognito principals as IoT Things is a flexible way to manage mobile app user access without relying on certificate-based authentication. While this approach is less common, it’s entirely achievable with proper IAM policies and IoT Core configurations. For scaling, consider logging and observability tools to monitor and fine-tune your setup. If you encounter additional challenges, feel free to share more details, and I’d be happy to help further!

---

### Farewell  
Best of luck with your project, Swordman! I hope this solution helps you streamline your IoT implementation. Let me know how it works out. 😊

---

Cheers,

Aaron 🚀

Need advice for using Cognito principal as a Thing in AWS IoT

Greeting

Clarifying the Issue

Key Terms

The Solution (Our Recipe)

Closing Thoughts

Farewell

Add your answer

Relevant content