By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS IoT Thing Connected Event, Find the thing Name from Event.

0

How I can get the thing name from the AWS IoT Lifecycle event of connected/disconnected. I also want to add filter while listing the lifecycle event such that I can get only the selected thing's event.

#1. One is from client Id must be thing name. (this might not be viable in our usecase) #2 Is there any way I can decode the "principalIdentifier" and find out the thing-name? (at iot rule filter OR at lambda function) #3 is there any better solution for knowing the device online/offline status? (only if connected to IoT Core)

2 Answers
3

In AWS IoT, the creation of a Thing is optional. A device can connect to AWS IoT just with a certificate and an attached IoT policy. Because devices can connect without an attached Thing, only the clientid, and not the thing name, is part of the lifecycle connect/disconnect event.

So to solve your problem you need to restrict using IoT policies what clients can use as a mqtt clientid. For example, the following policy only allows device to connect to AWS IoT if the clientid = Thing name:

{
        "Effect": "Allow",
        "Action": [
          "iot:Connect"
        ],
        "Resource": [
          "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
        ]
 }

If you add custom informations to your device certificates created in AWS IoT using create-certificate-from-csr , you can also use info from the certificate, like the CommanName CN to restrict the clientid by leveraging the AWS IoT X509 policy variables :

At this stage, as you control the clientid value devices set during connection, you can use the clientid in the lifecycle events payload to filter the events.

Hope that helps.

profile pictureAWS
EXPERT
answered 2 years ago
2

Hi.

From the lifecycle connect/disconnect event (see below), you can extract the principal identifier, which, if you are authenticating with mTLS, is your certificate id. With the certificate id, you can build your certificate ARN, and use

ListPrincipalThings

(https://docs.aws.amazon.com/iot/latest/apireference/API_ListPrincipalThings.html), and get your thing name.

You can do this in a Lambda function invoked via a rule action, or directly in the select statement of your IoT Rule: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html#iot-func-aws-lambda

{
    "clientId": "xxx",
    "timestamp": xxx,
    "eventType": "connected",
    "sessionIdentifier": "xxx",
    "principalIdentifier": "xxx",
    "ipAddress": "xxx",
    "versionNumber": 0
}

You should ideally keep clientId and thingName aligned, if your solution allows for it.

Hope this helps!

AWS
answered 2 years ago
  • I agree, but add that having your client ID and Thing name match is a best practice: https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html

    #3 is there any better solution for knowing the device online/offline status?

    If you enable fleet indexing, the connectivity status of each Thing is available. So that is a status, instead of an event, but saves you deriving the status yourself. You can then do searches such as connectivity.connected: True. The connectivity status of each Thing is also available in Fleet Hub.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions