Static thing groups

In this exercise you will learn how you can authorise devices by attaching an IoT policy to a thing group instead to a device certificate. The policy attached to the thing group will make use of policy variables so that a device is only allowed to publish to the topic:

telemetry/building/one/${iot:ClientId}

Directory

Use the directory ~/provisioning for the exercises in this chapter.

cd ~/provisioning

Create a thing group

Create a thing group policy, attach the policy to the thing group, create a device and add the device to the thing group.

In a Cloud9 terminal:

# create a thing group
THING_GROUP_NAME=building-one
aws iot create-thing-group \
  --thing-group-name $THING_GROUP_NAME > /tmp/create_group_response
GROUP_ARN=$(jq -r ".thingGroupArn" /tmp/create_group_response)

# get your AWS account id. It is required for the IoT policy in this example
ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')

# create IoT policy
POLICY_NAME=SmartBuilding_Policy
aws iot create-policy --policy-name $POLICY_NAME \
--policy-document "{\
  \"Version\": \"2012-10-17\",\
  \"Statement\": [{\
      \"Effect\": \"Allow\",
      \"Action\": [\"iot:Connect\"],\
      \"Resource\": [\
          \"arn:aws:iot:$AWS_REGION:$ACCOUNT_ID:client/\${iot:ClientId}\"\
      ]\
  },\
  {\
      \"Effect\": \"Allow\",\
      \"Action\": [\"iot:Publish\"],\
      \"Resource\": [\
          \"arn:aws:iot:$AWS_REGION:$ACCOUNT_ID:topic/telemetry/building/one/\${iot:ClientId}\"\
      ]\
    }]\
	}"  	  	

# attach policy to thing group
aws iot attach-policy \
  --target $GROUP_ARN \
  --policy-name $POLICY_NAME

# verify that the policy was attached to the thing group
aws iot list-attached-policies --target $GROUP_ARN

Create a thing

Create a thing a key and a certificate. Choose any method that you have learned earlier. Alternatively use the commands below. But DO NOT attach a policy to the device certificate

THING_NAME=group-member
aws iot create-thing --thing-name $THING_NAME
aws iot create-keys-and-certificate --set-as-active \
  --public-key-outfile $THING_NAME.public.key \
  --private-key-outfile $THING_NAME.private.key \
  --certificate-pem-outfile $THING_NAME.certificate.pem > /tmp/create_cert_and_keys_response
CERTIFICATE_ARN=$(jq -r ".certificateArn" /tmp/create_cert_and_keys_response)
CERTIFICATE_ID=$(jq -r ".certificateId" /tmp/create_cert_and_keys_response)
aws iot attach-thing-principal --thing-name $THING_NAME \
  --principal $CERTIFICATE_ARN

Add your thing to the thing group

aws iot add-thing-to-thing-group \
  --thing-name $THING_NAME \
  --thing-group-name $THING_GROUP_NAME

# list things in your group
aws iot list-things-in-thing-group \
  --thing-group-name $THING_GROUP_NAME

Publish messages

Subscribe in the AWS IoT Core console to the topic telemetry/building/one/#.

Publish a message to the topic telemetry/building/one/$THING_NAME. This message should arrive.

mosquitto_pub --cafile ~/root.ca.bundle.pem \
  --cert $THING_NAME.certificate.pem \
  --key $THING_NAME.private.key -h $IOT_ENDPOINT -p 8883 \
  -q 0 -t telemetry/building/one/$THING_NAME -i $THING_NAME --tls-version tlsv1.2 \
  -m "{\"group\": \"test\", \"date\": \"$(date)\"}" -d

Publish a message to the topic telemetry/building/one/${THING_NAME}_foo, this messages should not arrive.

mosquitto_pub --cafile ~/root.ca.bundle.pem \
  --cert $THING_NAME.certificate.pem \
  --key $THING_NAME.private.key -h $IOT_ENDPOINT -p 8883 \
  -q 0 -t telemetry/building/one/${THING_NAME}_foo -i $THING_NAME --tls-version tlsv1.2 \
  -m "{\"group\": \"test\", \"date\": \"$(date)\"}" -d