By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT Core: using aws-iot-device-sdk-js-v2 to make a connection in a Firebase function works when running emulators locally, but fails when the function is deployed

0

Hello!

I'm trying to connect using certificates via the aws-iot-device-sdk-js-v2 inside a Firebase function. While this works when running the function locally with the emulators Firebase provides, after deploying the function, the connection fails with the following message: aws-c-io: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE, TLS (SSL) negotiation failed

Anyone know what's going on or can point me in the right direction? Maybe there's some sort of difference in the environment where the deployed function is running, vs my computer when running locally that affects authentication? For a more detailed explanation and a little bit of context as to why I'm trying to connect via a Firebase function, please refer to https://github.com/aws/aws-iot-device-sdk-js-v2/discussions/334 post I made in the SDK Github page.

Thanks in advance!

Topics
Internet of Things (IoT)
Tags
AWS IoT CoreTransport Layer Security (TLS)
Language
English
Nicolas Gorga
asked a year ago243 views
1 Answer
0

Good evening Nicolas!

I read the context behind your question, and the use case is very interesting!

Seems like you were looking for a workaround to the limitations of previously suggested options (- disabling/revoking the device certificate & - changing the policy document), as they do not guarantee immediate traffic interruption from the device.

The extra option I suggest will be 2-folded:

  1. Create a thing group beforehand (named 'forbidden' for example) and attach a restrictive policy to it (like explicit deny for CONNECT, PUBLISH, SUBSCRIBE, etc). Refer to this guide if needed. This is the group that will include all your forbidden devices.
  2. Anytime you'd like to deny a specific device, just add it to that forbidden thing group by initiating the corresponding request from your Angular Web App. See the API Reference for guidance.

As the device will just inherit the preexisting restrictive policies from the Forbidden group, the IoT Core message broker will likely acknowledge the change much faster than a certificate policy update (that can be cached for minutes).

On top of that, you'll have all your forbidden devices in a single thing group, allowing further batch actions on them (querying, reporting, certificates revocation, etc).

Let me know if that helps!

Charly.

profile pictureAWS
EXPERT
Charlyscott237
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content