Device provisioning
This page was generated from content adapted from the AWS Developer Guide
Provisioning devices that don't have device certificates using fleet provisioning
Important Provisioning claim private keys should be secured at all times, including on the device. We recommend that you use AWS IoT CloudWatch metrics and logs to monitor for indications of misuse. If you detect misuse, turn off the provisioning claim certificate so it cannot be used for device provisioning.
Important You must manage the trusted user's access and permission to perform this procedure. One way to do this is to provide and maintain an account for the trusted user that authenticates them and grants them access to the AWS IoT features and API operations required to perform this procedure.
Provisioning templates
Note When you declare a certificate in a template, use only one of these methods. For example, if you use a CSR, you cannot also specify a certificate ID or a device certificate. For more information, see X.509 client certificates.
Note If a
Policy
section is present,PolicyName
orPolicyDocument
, but not both, must be specified.Important You must use
CertificateId
in a template that's used for JIT provisioning.Note An existing provisioning template can be updated to add a pre-provisioning hook.
Pre-provisioning hooks
Important Be sure to include the
source-arn
orsource-account
in the global condition context keys of the policies attached to your Lambda action to prevent permission manipulation. For more information about this, see Cross-service confused deputy prevention.Note If the Lambda function fails, the provisioning request fails with
ACCESS_DENIED
and an error is logged to CloudWatch Logs. If the Lambda function doesn't return"allowProvisioning": "true"
in the response, the provisioning request fails withACCESS_DENIED
. The Lambda function must finish running and return within 5 seconds, otherwise the provisioning request fails.
Creating IAM policies and roles for a user installing a device
Note These procedures are for use only when directed by the AWS IoT console. To go to this page from the console, open create a new provisioning template.
Device provisioning MQTT API
Important Before publishing a request message topic, subscribe to the response topics to receive the response. The messages used by this API use MQTT's publish/subscribe protocol to provide a request and response interaction. If you do not subscribe to the response topics before you publish a request, you might not receive the results of that request.
Note For security, the
certificateOwnershipToken
returned byCreateCertificateFromCsr
expires after one hour.RegisterThing
must be called before thecertificateOwnershipToken
expires. If the certificate created byCreateCertificateFromCsr
has not been activated and has not been attached to a policy or a thing by the time the token expires, the certificate is deleted. If the token expires, the device can callCreateCertificateFromCsr
to generate a new certificate.Note For security, the
certificateOwnershipToken
returned byCreateKeysAndCertificate
expires after one hour.RegisterThing
must be called before thecertificateOwnershipToken
expires. If the certificate created byCreateKeysAndCertificate
has not been activated and has not been attached to a policy or a thing by the time the token expires, the certificate is deleted. If the token expires, the device can callCreateKeysAndCertificate
to generate a new certificate.
Last updated