Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS IoT Fleet Provisioning Defaults to User-Initiated Despite Claim Certificate

0

Hello AWS IoT Community,

I am encountering an issue with AWS IoT Fleet Provisioning where my provisioning template continuously defaults to user-initiated provisioning, even though I am explicitly setting it up to use a claim certificate.

What I’m Trying to Do:

I am working on IoT Fleet Provisioning for an ESP32 device. The intended workflow is:

  1. Device connects via MQTT using a claim certificate.
  2. Device requests an ownership token to provision itself automatically.
  3. AWS IoT registers the new Thing using my Fleet Provisioning template.
  4. The device receives its unique certificate and stores it.

However, AWS IoT is treating this as a user-initiated provisioning process, even though my template explicitly references a claim certificate.

Current Setup:

  • Provisioning Template Type: FLEET_PROVISIONING
  • Claim Certificate: Active and attached to necessary policies
  • IAM Role: PlantMonitorFleetProvisioningRole (Allows IoT to assume the role)
  • AWS IoT Policies: PlantMonitorClaimCertificatePolicy, PlantMonitorProvisioningPolicy
  • AWS Logging Enabled (set-v2-logging-options --default-log-level DEBUG)
  • Logging Role Attached: PlantMonitorFleetProvisioningLoggingPolicy

Provisioning Template (Summarized):

{
    "Parameters": {
        "SerialNumber": { "Type": "String" },
        "AWS::IoT::Certificate::Id": { "Type": "String" }
    },
    "Resources": {
        "certificate": {
            "Type": "AWS::IoT::Certificate",
            "Properties": {
                "CertificateId": { "Ref": "AWS::IoT::Certificate::Id" },
                "Status": "Active"
            }
        },
        "thing": {
            "Type": "AWS::IoT::Thing",
            "Properties": {
                "ThingName": { "Fn::Join": ["", ["PM-", { "Ref": "SerialNumber" }]] }
            }
        }
    }
}

Debugging Steps Taken So Far:

  • Claim Certificate is Active (aws iot list-certificates)
  • IAM Role Trust Policy Correct (get-role shows sts:AssumeRole for iot.amazonaws.com)
  • Policies Attached to Claim Certificate (list-attached-policies)
  • Fleet Provisioning Role Assigned in Template (provisioningRoleArn is correct)
  • Device Can Connect via MQTT (Using claim certificate)
  • AWS IoT Logging Enabled (No relevant logs for Fleet Provisioning errors)
  • Attempted New Claim Certificate (Same behavior)
  • Using IAM User Instead of Root (Still no change)

Issue: Every time I attempt to provision the device, AWS IoT reverts to user-initiated provisioning. Logs show that AWS IoT is rejecting the request with:

{
    "statusCode": 400,
    "errorCode": "InvalidCertificateOwnershipToken",
    "errorMessage": "Certificate ownership token cannot be empty."
}
  • Why is AWS IoT ignoring the claim certificate?
  • Why does it default to user-initiated provisioning despite having the correct setup?
  • Where can I find logs specifically related to Fleet Provisioning decisions?

AWS Account & Region Details

  • AWS Region: us-east-2
  • AWS CLI Version: Latest
  • AWS Account: Not using root, using a new IAM user with full permissions

Any insights would be greatly appreciated. I’ve exhausted every AWS doc and test, and still can’t get it to work properly.

Thanks in advance for your help.

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
asked a year ago159 views
1 Answer
1

Based on the information provided, it appears that there might be a few issues contributing to your AWS IoT Fleet Provisioning problem. Let's address them one by one:

  1. Claim Certificate vs. User-Initiated Provisioning: The error message you're receiving suggests that the system is expecting a certificate ownership token, which is typically used in user-initiated provisioning. This indicates that despite your intention to use a claim certificate, the system is not recognizing it as such.

  2. Provisioning Template: Your provisioning template looks generally correct, but it's worth noting that for fleet provisioning by claim, you typically need to include a specific provisioning template that defines how devices should be registered. Make sure your template is correctly associated with the claim certificate.

  3. MQTT Topics: For fleet provisioning by claim, your device should be publishing to specific MQTT topics. Ensure your device is publishing to "$aws/certificates/create/json" to request new keys and certificates, and then to "$aws/provisioning-templates/YOUR_TEMPLATE_NAME/provision/json" with the necessary parameters.

  4. Policy Permissions: Double-check that your PlantMonitorClaimCertificatePolicy includes permissions for the device to connect, publish, and subscribe to the necessary MQTT topics for fleet provisioning. This should include permissions for "iot:Connect", "iot:Publish", "iot:Receive", and "iot:Subscribe" for the relevant topics.

  5. Logging and Debugging: While you've enabled logging, you mentioned not seeing relevant logs for Fleet Provisioning errors. Try to increase the logging verbosity specifically for provisioning-related actions. You might need to adjust your PlantMonitorFleetProvisioningLoggingPolicy to capture more detailed logs.

  6. Device Implementation: Ensure that your ESP32 device is correctly implementing the fleet provisioning by claim workflow. This includes using the claim certificate for the initial connection, requesting new keys and certificates, and then using the provisioning template to register the device.

  7. Certificate Rotation: After successfully provisioning, your device should rotate from using the claim certificate to using its unique certificate. Make sure this process is implemented correctly in your device code.

  8. Region Consistency: Confirm that all your resources (certificates, policies, roles, etc.) are in the same region (us-east-2) that you're using for your IoT operations.

To troubleshoot further:

  • Review the exact MQTT messages your device is sending and receiving.
  • Check CloudWatch Logs for any IoT-related entries that might provide more insight.
  • Verify that the claim certificate is correctly associated with your provisioning template in AWS IoT Core.
  • Try creating a new provisioning template and claim certificate to rule out any potential issues with the existing ones.

If the issue persists after verifying these points, you may need to contact AWS Support for more in-depth troubleshooting, as there could be an account-specific issue or a misconfig
Sources
Provisioning identity in AWS IoT Core for device connections - Device Manufacturing and Provisioning with X.509 Certificates in AWS IoT Core
Device provisioning - IoT Lens
Device provisioning - AWS IoT Core
What is the appropriate aws iot provisioning by claim policy? | AWS re:Post

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content