This is a lambda function which creates the relevant certificates and policies needed for AWS IoT and sets them as per device environment variables on the balena device which invoked the Lambda function. The device can then use the set environment variables to authenticate requests to the AWS IoT API.
AWS IoT is amazingly powerful and secure way to process data produced by physical devices. But owning to this security there are some complexities when setting up a new AWS IoT client or device. This is because the AWS IoT Device SDK uses per device certificates to authenticate request between the device and AWS. This is great and fairly simple to set up once off, but using more than one device with AWS IoT you'll want to do this certificate provisioning a more automated way.
Clone this repo
$ git clone https://github.com/balena-projects/balena-aws-lambda
I use node-lambda to handle testing and deployment.
Install it first install node-lambda:
npm install -g node-lambda
Fill in your details in env.json you'll need the following vars:
| Key |
|---|
| AWS_ACCESS_KEY_ID |
| AWS_SECRET_ACCESS_KEY |
| AWS_ROLE_ARN |
| RESIN_EMAIL |
| RESIN_PASSWORD |
Variables from .env are injected when running locally allowing you to easy test the function with out deploying.
You'll also need to simulate event data for test. There is some dummy data in event.json, if you like you can replace the uuid with a real balena devices UUID.
Once those two files are ready, run:
node-lambda run
You should get a lovely success message. And you should have a AWS thing with an attached policy and certificate in the AWS IoT console. You'll also have balena environment variables set on each the device you specified in event.json.
Now we are ready to deploy to AWS. Ensure you have Added your balena credentials to deploy.env first then run:
node-lambda deploy -f deploy.env
Then login to AWS console and visit the lambda console, you should see a fresh new lambda function. Next add a API Gateway trigger. Make sure it is a POST Method and Security is open (though you could add this later).
Now we have an public endpoint for the devices to request to be provisioned.
All that's left to do deploy the device portion to the devices. And your balena app has the right environment variables configured
NOTE: During testing you may want to flush, both balena environment variables and AWS IoT things, policies and certificates so I've created a couple scripts to do that.