Distribute & Manage Client Secret (WiFi) Credentials to IoT Fleet during Provisioning Stage

Hi all,

We are receiving client requests to preconfigure IoT devices with their selected Wi-Fi credentials.

Our current scenario is the following:

1. Our devices are provisioned using AWS IoT Core and unique device certificates
2. An OTA is done as a final check (using the provisioning WiFi network)
3. The client receives the device and has to configure their WiFi credentials.

This flow isn't maintainable when a single client orders 1000 devices which he/she has to configure manually. So we would like to configure the WiFi credentials during the provisioning phase, making it plug and play for the client.

In order to do this, we have to:

1. Store the clients WiFi credentials in a secure place (encrypted)
2. Retrieve the clients secret, decrypt it and communicate it to the IoT device to be saved in secure memory

AWS Credential manager seems a good way to store and encrypt the clients credentials. For retrieving the credentials (which we need in plain text) I see multiple options:

• Retrieve the credentials using AWS CLI from our provisioning tool & configure the device
• Retrieve it via GitHub Actions and create a custom provisioning OTA package for it (this seems overkill and hard to manage)
• After the generic provisioning OTA (which uses the provisioning network), launch a lambda (or something) which retrieves the client credentials and update it through MQTTS.

What is best practice/approach for this? Any thoughts with the mentioned approaches?

Cheers!