Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IoT Apps with AWS IoT and Websockets

10,033 views

Published on

In this session, you will learn how to build real-time mobile and web applications that interact over WebSockets. We will dig into how AWS IoT supports MQTT over the WebSocket protocol to enable browser-based and remote applications to send and receive data from AWS IoT connected devices using AWS credentials. Furthermore, we will show you how to use AWS IoT Device SDKs to connect your device to AWS IoT when making a WebSocket connection.

AWS DevDay San Francisco, June 21, 2016
Presenter: David Yanacek, Principal Engineer, AWS IoT

Published in: Technology
  • Get started in minutes with an AWS IoT training lab at https://mqttlab.iotsim.io/aws
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ♥♥♥ http://bit.ly/369VOVb ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ http://bit.ly/369VOVb ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

IoT Apps with AWS IoT and Websockets

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. David Yanacek, Principal Engineer, AWS IoT 6/21/2016 IoT Apps with AWS IoT and WebSockets
  2. 2. Outline • MQTT recap • WebSockets: what and why? • Demo! • Device SDK examples and code • Authentication, authorization, and WebSockets
  3. 3. AWS IoT
  4. 4. Publish / Subscribe Standard Protocol Support MQTT, HTTP, WebSockets Long Lived Connections Receive signals from the cloud Secure by Default Connect securely via X509 Certs and TLS 1.2 Client Mutual Auth
  5. 5. MQTT PubSub Topic Subscriptions PUBLISH weather-station/echo-base/temperature SUBSCRIBE weather-station/echo-base/temperature weather-station/echo-base/+ weather-station/+/temperature
  6. 6. Comparing protocols MQTT • Lightweight • Bidirectional HTTP • Broad support (browsers) • Request-reply Client Server Client Server
  7. 7. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No
  8. 8. Securing AWS Resource Access
  9. 9. Comparing authentication schemes Certificates • Provisioned for devices • Secured in hardware TPMs SigV4 • Provisioned for applications • EC2 instance roles (applications) • Cognito identity pools (humans)
  10. 10. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No
  11. 11. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No Certificate Auth Yes Yes Sig V4 Auth No Yes
  12. 12. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No Certificate Auth Yes Yes Sig V4 Auth No Yes
  13. 13. WebSockets to the rescue GET wss://…/mqtt?X-Amz-Signature=… Connection: Upgrade Sec-WebSocket-Protocol: mqtt … Upgrade? OK HTTP/1.1 101 Switching Protocols Connection: Upgrade HTTP
  14. 14. WebSockets to the rescue HTTP MQTT SUBSCRIBE PUBLISH …
  15. 15. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes Yes* Certificate Auth Yes Yes Sig V4 Auth Yes* Yes *Using WebSockets to upgrade HTTP connections to MQTT connections
  16. 16. Outline • MQTT recap • WebSockets: what and why? • Demo! • Device SDK examples and code • Authentication, authorization, and WebSockets
  17. 17. AWS IoT ShapeUp! architecture Amazon Cognito Amazon S3 Amazon DynamoDB IoT ruleIoT policy IoT topic AWS Lambda IoT shadow
  18. 18. Amazon DynamoDB IoT rule IoT topic Amazon Cognito Amazon S3 AWS Lambda IoT policy IoT shadow AWS IoT ShapeUp! architecture Sign-in and registration
  19. 19. IoT policy Amazon Cognito Amazon S3 AWS IoT ShapeUp! architecture Amazon DynamoDB IoT rule IoT topic AWS Lambda IoT shadow Match making, gameplay
  20. 20. Outline • MQTT recap • WebSockets: what and why? • Demo! • Device SDK examples and code • Authentication, authorization, and WebSockets
  21. 21. Connecting over WebSockets # Grab and install the Device SDK git clone https://github.com/aws/aws-iot-device-sdk-js.git cd aws-iot-device-sdk-js npm install # Configure your environment export AWS_ACCESS_KEY_ID=... export AWS_SECRET_ACCESS_KEY=... # Run the examples node examplesdevice-example.js --protocol wss --test-mode 1 node examplesdevice-example.js --protocol wss --test-mode 2
  22. 22. device-example.js test-mode 1 test-mode 2 SUBSCRIBE topic_1 SUBSCRIBE topic_2
  23. 23. device-example.js test-mode 1 test-mode 2 PUBLISH topic_2 PUBLISH topic_2 PUBLISH topic_1 PUBLISH topic_1
  24. 24. Quick demo
  25. 25. // Connect to AWS IoT const device = deviceModule({ region: ‘us-west-2’, protocol: ‘wss’, port: 443, host: ‘YOURENDPOINT.data.iot.us-west-2.amazonaws.com’ }); // Subscribe to your own topic device.subscribe('topic_1'); // Publish a message to the other topic every second var timeout = setInterval(function() { device.publish('topic_2', JSON.stringify({ foo: ‘bar’ })); }, 1000); // Print the messages you receive device.on('message', function(topic, payload) { console.log('message', topic, payload.toString()); });
  26. 26. Outline • MQTT recap • WebSockets: what and why? • Demo! • Device SDK examples and code • Authentication, authorization, and WebSockets
  27. 27. Authentication vs authorization Authentication: Prove your identity Authorization: Restrict access
  28. 28. Authentication for devices Device credentials • Private key (authenticate the device) • Certificate (register the device with IoT) • Root CA cert (authenticate IoT)
  29. 29. Authentication for devices Administrator CreateCertificate Generate CSR Generate Private Key Certificate
  30. 30. Authentication for end-users
  31. 31. Authentication for end-users Amazon Cognito Sign in Get AWS Creds (Verify) WebSocket Connect
  32. 32. Configuring Cognito with AWS IoT UnauthenticatedAuthenticated
  33. 33. Authenticated • End-users sign in • Customize user-specific policy in AWS IoT • Users cannot access AWS IoT until IoT policy is attached Cognito Identities in AWS IoT Unauthenticated • No sign-in (anonymous) • Use IAM role policy and policy variables to restrict access • No user-specific policy in AWS IoT
  34. 34. Choosing authenticated vs unauthenticated Do you want information about the end-user? Do you want to let only certain users use your app? Use authenticated identities Use either authenticated or unauthenticated Do you want to access IoT without the user signing in? Use unauthenticated identities Yes Yes No No No Yes
  35. 35. Authentication vs authorization Authentication: Prove your identity Authorization: Restrict access
  36. 36. IoT Policy Documents { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:*:client/${www.amazon.com:user_id}" } { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:*:topicfilter/private-topic/${iot:ClientId}/*" } { "Effect": "Allow", "Action": "iot:Publish", "Resource": [ "arn:*:topic/private-topic/${iot:ClientId}", "arn:*:topic/open-topic-space/*" ] } { "Effect": "Allow", "Action": "iot:Receive", "Resource": "*" }
  37. 37. Attaching policy • IAM User (Your AWS Console admin users) • IAM EC2 Instance Role (Your EC2-based apps) • IAM Lambda Role (Your Lambda-based apps) • IAM Cognito Role (Cognito end-users) • IoT Principal (Device certificates, Cognito users)
  38. 38. Unauthenticated access for end-users Amazon Cognito AWS IAM permissions role Administrator
  39. 39. Unauthenticated access for end-users AWS.config.region = 'us-east-1'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID' }); AWS.config.credentials.get(function(err)) { if (err) { console.log("ERROR: " + err); return; } console.log("Cognito Id is: " + AWS.config.credentials.identityId); }); Amazon Cognito
  40. 40. Unauthenticated access for end-users Amazon Cognito Cet Credentials AssumeRole AWS STS AWS IAM permissions role temporary security credentials
  41. 41. Unauthenticated access for end-users Amazon Cognito AWS STS AWS IAM permissions role WebSocket Connect temporary security credentials Allowed? Yes!
  42. 42. Policy variables for Cognito users AWS IAM permissions role PUBLISH foo/us-east-1:abcdef-my-cognito-id temporary security credentials Allowed? Yes!
  43. 43. Policy variables for Cognito users AWS IAM PUBLISH foo/us-east-1:abcdef-my-cognito-id temporary security credentials { "Effect": "Allow", "Action": "iot:Publish", "Resource": [ "arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}" ] }
  44. 44. Policy variables for Cognito users { "Effect": "Allow", "Action": "iot:Publish", "Resource": [ "arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}" ] } AWS.config.region = 'us-east-1'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID' }); AWS.config.credentials.get(function(err)) { if (err) { return; } var cognitoId = AWS.config.credentials.identityId; mqttClient.connect(...); mqttClient.publish('foo/' + cognitoId); }); permissions role
  45. 45. Authenticated • End-users sign in • Customize user-specific policy in AWS IoT • Users cannot access AWS IoT until IoT policy is attached Cognito Identities in AWS IoT Unauthenticated • No sign-in (anonymous) • Use IAM role policy and policy variables to restrict access • No user-specific policy in AWS IoT
  46. 46. Fine-grained access control SUB home/456_iot_ln SUB home/123_aws_ave/# PUB home/123_aws_ave/light_1/on SUB home/123_aws_ave/# PUB home/123_aws_ave/door_1/open Alice Bob Chuck
  47. 47. Fine-grained access control PUB home/123_aws_ave/door_1/open SUB home/123_aws_ave/# PUB home/123_aws_ave/light_1/on SUB home/123_aws_ave/# PUB home/123_aws_ave/door_1/open Alice Bob Chuck
  48. 48. User-specific policies { "Effect": "Allow", "Action": ["iot:Publish", "iot:Subscribe"] "Resource": [ "arn:*:topic/home/123_aws_ave", "arn:*:topicfilter/home/123_aws_ave" ] } { "Effect": "Allow", "Action": ["iot:Publish", "iot:Subscribe"] "Resource": [ "arn:*:topic/home/456_iot_ln", "arn:*:topicfilter/home/456_iot_ln" ] } Policy for Alice, Bob: Policy for Chuck:
  49. 49. Unauthenticated access for end-users Amazon Cognito AWS IAM permissions role Administrator Create, Attach Policy for Alice, Bob, and Chuck Create Identity Pool Create Role IoT policy IoT policy IoT policy
  50. 50. Chicken and egg: when to attach the policy? • Users cannot connect until they have a policy in IoT • Policy cannot be attached without knowing the user’s CognitoId Solution: attach a policy when the user first connects!
  51. 51. On-demand registration Amazon Cognito AWS Lambda CONNECT Access denied New User (already signed in) Get Credentials temporary security credentials(no policy for user)
  52. 52. On-demand registration (continued) Amazon Cognito AWS Lambda Register()Create, Attach Policy New User IoT policy CONNECT OK!
  53. 53. What permissions to attach? • Shape Up! demo: everyone gets “user” access • Only manually registered users get “control” access • Start with minimal permissions
  54. 54. Outline • MQTT recap • WebSockets: what and why? • Demo! • Device SDK examples and code • Authentication, authorization, and WebSockets
  55. 55. Wrapping up • WebSockets makes IoT interactive • Authentication for humans is different than devices • Use Lambda to drive user registration, pairing • Getting started with the AWS IoT Device SDK is easy • AWS IoT WebSockets, Rules Engine, Shadow and Lambda makes server-less applications easy
  56. 56. Thank You!

×