Device provisioning
Last updated
Was this helpful?
Last updated
Was this helpful?
Important Provisioning claim private keys should be secured at all times, including on the device. We recommend that you use AWS IoT CloudWatch metrics and logs to monitor for indications of misuse. If you detect misuse, turn off the provisioning claim certificate so it cannot be used for device provisioning.
Important You must manage the trusted user's access and permission to perform this procedure. One way to do this is to provide and maintain an account for the trusted user that authenticates them and grants them access to the AWS IoT features and API operations required to perform this procedure.
Note When you declare a certificate in a template, use only one of these methods. For example, if you use a CSR, you cannot also specify a certificate ID or a device certificate. For more information, see .
Note
If a Policy
section is present, PolicyName
or PolicyDocument
, but not both, must be specified.
Important
You must use CertificateId
in a template that's used for JIT provisioning.
Note An existing provisioning template can be updated to add a .
Important
Be sure to include the source-arn
or source-account
in the global condition context keys of the policies attached to your Lambda action to prevent permission manipulation. For more information about this, see .
Note
If the Lambda function fails, the provisioning request fails with ACCESS_DENIED
and an error is logged to CloudWatch Logs. If the Lambda function doesn't return "allowProvisioning": "true"
in the response, the provisioning request fails with ACCESS_DENIED
. The Lambda function must finish running and return within 5 seconds, otherwise the provisioning request fails.
Important Before publishing a request message topic, subscribe to the response topics to receive the response. The messages used by this API use MQTT's publish/subscribe protocol to provide a request and response interaction. If you do not subscribe to the response topics before you publish a request, you might not receive the results of that request.
Note
For security, the certificateOwnershipToken
returned by CreateCertificateFromCsr
expires after one hour. RegisterThing
must be called before the certificateOwnershipToken
expires. If the certificate created by CreateCertificateFromCsr
has not been activated and has not been attached to a policy or a thing by the time the token expires, the certificate is deleted. If the token expires, the device can call CreateCertificateFromCsr
to generate a new certificate.
Note
For security, the certificateOwnershipToken
returned by CreateKeysAndCertificate
expires after one hour. RegisterThing
must be called before the certificateOwnershipToken
expires. If the certificate created by CreateKeysAndCertificate
has not been activated and has not been attached to a policy or a thing by the time the token expires, the certificate is deleted. If the token expires, the device can call CreateKeysAndCertificate
to generate a new certificate.
Note These procedures are for use only when directed by the AWS IoT console. To go to this page from the console, open .