AWS IoT Thing Connected Event, Find the thing Name from Event.

0

How I can get the thing name from the AWS IoT Lifecycle event of connected/disconnected. I also want to add filter while listing the lifecycle event such that I can get only the selected thing's event.

#1. One is from client Id must be thing name. (this might not be viable in our usecase) #2 Is there any way I can decode the "principalIdentifier" and find out the thing-name? (at iot rule filter OR at lambda function) #3 is there any better solution for knowing the device online/offline status? (only if connected to IoT Core)

已提問 2 年前檢視次數 623 次
2 個答案
2

Hi.

From the lifecycle connect/disconnect event (see below), you can extract the principal identifier, which, if you are authenticating with mTLS, is your certificate id. With the certificate id, you can build your certificate ARN, and use

ListPrincipalThings

(https://docs.aws.amazon.com/iot/latest/apireference/API_ListPrincipalThings.html), and get your thing name.

You can do this in a Lambda function invoked via a rule action, or directly in the select statement of your IoT Rule: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html#iot-func-aws-lambda

{
    "clientId": "xxx",
    "timestamp": xxx,
    "eventType": "connected",
    "sessionIdentifier": "xxx",
    "principalIdentifier": "xxx",
    "ipAddress": "xxx",
    "versionNumber": 0
}

You should ideally keep clientId and thingName aligned, if your solution allows for it.

Hope this helps!

AWS
已回答 2 年前
  • I agree, but add that having your client ID and Thing name match is a best practice: https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html

    #3 is there any better solution for knowing the device online/offline status?

    If you enable fleet indexing, the connectivity status of each Thing is available. So that is a status, instead of an event, but saves you deriving the status yourself. You can then do searches such as connectivity.connected: True. The connectivity status of each Thing is also available in Fleet Hub.

2

In AWS IoT, the creation of a Thing is optional. A device can connect to AWS IoT just with a certificate and an attached IoT policy. Because devices can connect without an attached Thing, only the clientid, and not the thing name, is part of the lifecycle connect/disconnect event.

So to solve your problem you need to restrict using IoT policies what clients can use as a mqtt clientid. For example, the following policy only allows device to connect to AWS IoT if the clientid = Thing name:

{
        "Effect": "Allow",
        "Action": [
          "iot:Connect"
        ],
        "Resource": [
          "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
        ]
 }

If you add custom informations to your device certificates created in AWS IoT using create-certificate-from-csr , you can also use info from the certificate, like the CommanName CN to restrict the clientid by leveraging the AWS IoT X509 policy variables :

At this stage, as you control the clientid value devices set during connection, you can use the clientid in the lifecycle events payload to filter the events.

Hope that helps.

profile pictureAWS
專家
Jan_B
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南