Questions in Internet of Things (IoT)

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

mutual TLS authentication for Amazon API Gateway - With my existing public key infrastructure (PKI) standard.

Hello Team, I am trying to enable mTLS for Amazon API Gateway for my endpoint, and I have my existing public key (PKI) for my domain (.crt & .key)..While using to upload my existing root CA public key in S3 bucket, I am getting some error like "API Gateway couldn’t build a unique path from the given certificate to a root certificate". I am following the setup using this link, Ref : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ Note : I am not using the openssl to generate the RootCA.pem & RootCA.key. Step 1: (SKIP) Create the private certificate authority (CA) private and public keys: openssl genrsa -out RootCA.key 4096 openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem Step 2: Create client certificate private key and certificate signing request (CSR): openssl genrsa -out my_client.key 2048 openssl req -new -key my_client.key -out my_client.csr Step 3: Sign the newly created client cert by using your certificate authority you previously created: openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256 Step 4: I have a minimum of five files in my directory RootCA.key (root CA private key) RootCA.pem (root CA public key) my_client.csr (client certificate signing request) my_client.key (client certificate private key) my_client.pem (client certificate public key) Step 5: Prepare a PEM-encoded trust store file for all certificate authority public keys you want to use with mutual TLS: cp RootCA.pem truststore.pem Step 6: Upload the trust store file to an Amazon S3 bucket in the same AWS account as our API Gateway API. aws s3 mb s3://your-name-ca-truststore --region us-east-1 #creates a new S3 bucket – skip if using existing bucket aws s3api put-bucket-versioning --bucket your-name-ca-truststore --versioning-configuration Status=Enabled #enables versioning on S3 bucket aws s3 cp truststore.pem s3://your-name-ca-truststore/truststore.pem #uploads object to S3 bucket Step 7: Enabling mutual TLS on a custom domain name I have in AWS API gateway console, While I upload my existing root CA public key in S3 bucket, I am getting some error like Error : "API Gateway couldn’t build a unique path from the given certificate to a root certificate". Error : "There is an invalid certificate in your truststore bundle Mutual TLS is still enabled, but some clients might not be able to access your API. Upload a new truststore bundle version to S3, and then update your domain name to use the new version."
1
answers
0
votes
15
views
asked 5 days ago

Send JSON documents with the pubsub.py sample app - MQTT Test Client displays string not json

Hi, I am new to AWS IoT and working through the SDK tutorials. Using RPi3B and python. https://docs.aws.amazon.com/iot/latest/developerguide/sdk-tutorials.html - I am @ "publish JSON documents in the message payload". I created pubsub3.py & changed the line of code: ...message = "{}".format(message_string). Tutorial says to 'change this line of code' to... message = "{}".format(args.message) BUT my pubsub.py has .format(message_string) var instead. The MQTT Test client is displaying as string literal and not interpreting/formatting correctly in json format. I have tried all sorts of combinations of quotes and breaks and brackets (" \ ' { ] ). From what I see it should be sending the payload as a json string... Command line: pi3@raspberrypi:~ $ python3 aws-iot-device-sdk-python-v2/samples/pubsub3.py --message '{"temperature":40}' --count 1 --topic pi3/battery1/data --endpoint... _______________ pubsub3.py: message = "{}".format(message_string) print("Publishing message to topic '{}': {}".format(message_topic, message)) message_json = json.dumps(message) mqtt_connection.publish( topic=message_topic, payload=message_json, qos=mqtt.QoS.AT_LEAST_ONCE) time.sleep(1) __________________ Terminal: Sending 1 message(s) Publishing message to topic 'pi3/battery1/data': {"temperature":40} Received message from topic 'pi3/battery1/data': b'"{\\"temperature\\":40}"' ____________________ MQTT Test Client: pi3/battery1/data December 01, 2022, 11:59:52 (UTC-0500) "{temperature: 40}" If someone could offer me some assistance I would be very grateful!
1
answers
0
votes
16
views
asked 5 days ago

Greegrass V2 Component Deployment Issue.

Hi Team, I have created one ReactJS application and deployed in Greengrass V2 using component recipe with following details. "Lifecycle": { "Install": { "RequiresPrivilege": true, "Script": "yarn install --cwd {artifacts:decompressedPath}/softacuity-code", "Timeout": 6000 }, "Run": { "Script": "chmod 777 {artifacts:decompressedPath}/softacuity-code/node_modules \n npm start --prefix {artifacts:decompressedPath}/softacuity-code" } }, "Artifacts": [ { "Uri": "s3://elsa-component-artifacts/FrontEndManager/customer_board/softacuity-code.zip", "Digest": "iPUASOImWCUL/IsSPJdO1MMVHF9XfKH52GdtafoExtU=", "Algorithm": "SHA-256", "Unarchive": "ZIP", "Permission": { "Read": "ALL", "Execute": "ALL" } } I am successfully able to deploy this component on greengrass v2. But second time if i try to deploy any other component in revise deployment I am getting following error. **unable to access attributes of symbolic link** **Caused by: java.nio.file.FileSystemException: /greengrass/v2/packages/artifacts-unarchived/CSTBOARDFrontEndManager/3.0.0/softacuity-code/node_modules/@eslint/eslintrc/node_modules/.bin/js-yaml: Too many levels of symbolic links or unable to access attributes of symbolic link at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:96) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ** Could you guys please help me with this. Is there anything required to be updated in recipe file ?? Regards, Nalay Patel
1
answers
0
votes
15
views
asked 5 days ago

Lambda component with IPC permissions in Greengrass V2

We have migrated a lambda from AWS Greengrass v1 to AWS Greengrass v2. This lambda needs to extract and decrypt a secret from Greengrass Core. How can we authorize the component to perform IPC permissions to the lambda for that? Regular components recipes have the option `ComponentConfiguration/DefaultConfiguration/accessControl`. However when we build the component out of a lambda using AWS CLI [create-component-version](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/greengrassv2/create-component-version.html) and option `--lambda-function`, there is no option to assign authorization policies. One way we tried to make it work is by using a *merge update* in our deployment (as documented [here](https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-secret-manager.html)). ``` "accessControl": { "aws.greengrass.SecretManager": { "<my-component>:secrets:1": { "policyDescription": "Credentials for server running on edge.", "operations": [ "aws.greengrass#GetSecretValue" ], "resources": [ "arn:aws:secretsmanager:us-east-1:<account-id>:secret:xxxxxxxxxx" ] } } } ``` However the end recipe of the component (in the deployment) does not display the `accessControl` (AWS Greengrass Console), so we assume it has not been *merge updated.* ``` ... "ComponentConfiguration": { "DefaultConfiguration": { "lambdaExecutionParameters": { "EnvironmentVariables": { "LOG_LEVEL": "DEBUG" } }, "containerParams": { "memorySize": 16384, "mountROSysfs": false, "volumes": {}, "devices": {} }, "containerMode": "NoContainer", "timeoutInSeconds": 30, "maxInstancesCount": 10, "inputPayloadEncodingType": "json", "maxQueueSize": 200, "pinned": false, "maxIdleTimeInSeconds": 30, "statusTimeoutInSeconds": 30, "pubsubTopics": { "0": { "topic": "dt/app/+/status/update", "type": "PUB_SUB" } } } }, ``` Any guidance here would be greatly appreciated! Thanks
1
answers
0
votes
11
views
profile picture
rodmaz
asked 6 days ago