Provisioning with AWS IoT

By enabling Krypton for AWS IoT, you can easily provision and deliver AWS IoT device certificates, and perform device registration on AWS IoT. Provisioning can be initiated during the device's initialization process, so that installing certificates on the device is not required beforehand.

After completing provisioning, your device will be able to communicate directly with AWS IoT services using MQTTS.

Configuring AWS IoT

In order to enable AWS IoT integration, your AWS account must be configured to provide Krypton with programmatic access to AWS IoT. This process only needs to be performed once, and involves the following steps:

  1. Create an AWS IoT Policy.
  2. Create an IAM User with access to AWS IoT, and generate an Access key ID and Secret access key credential set.
  3. Register the credential set on Soracom, and configure Krypton.

Creating an AWS IoT Policy

  1. Login to the AWS Management Console . From the Services menu, open the IoT Core dashboard.


  2. Click the Secure section, then click the Policies screen.


  3. Click the Create button.

    Follow the Create a policy wizard to configure the device policy that your devices should receive when connecting with AWS IoT.

    Refer to AWS IoT Policy documentation for information on how to configure a device policy. You can modify this policy later if needed.


Once the policy has been created, it should show up in the AWS IoT Core dashboard in the list of policies. Note the policy Name, as it is required when configuring Krypton.

Creating an IAM User

  1. From the AWS Services menu, open the IAM dashboard.


  2. Click the Users section, then click the Add user button.


  3. Enter a User name, and enable Programmatic access. Then click the Next: Permissions button.


Our IAM user requires a two permissions in order to generate certificates and register devices. These permissions are provided by AWS policies, which we will attach to our user:

  1. Under the Set permission section, click Attach existing policies directly.

  2. Attach a policy that enables certificate generation:

    1. Click the Create policy button. A dialog will pop up.


    2. In the Create a policy wizard, click Choose a service, then search for and select the IoT service.

    3. In the Actions options, search for CreateKeysAndCertificate, and click its to add the action to the policy.


    4. Click Review policy.

    5. Enter a Name for the policy, such as AWSIoTCreateKeysAndCertificate. Then click the Create policy button.


    6. Return to the Add user screen. Click the button to reload available policies, then search for the policy we just created. Click the to attach it to the new user.


  3. Attach a policy that enables device registration:

    1. Search for the AWSIoTThingsRegistration policy and click its to attach it to the new user.


  4. Continue the Add user wizard by clicking the Next buttons, keeping the default values for the remaining sections. Then click Create user to complete the wizard.


Once the new user has been created, it will appear along with its Access key ID and Secret access key. Save these keys in a secure location.


Configuring Krypton

Once your AWS account has been configured using the above steps, you will have the following information:

You can then use this information to configure Krypton using the Krypton Configuration documentation, following the instructions for integrating Krypton with AWS IoT.

Once Krypton has been configured, your devices can begin using Krypton's provisioning service.

Example Provisioning Process

The following NodeJS project demonstrates the typical bootstrap process utilizing Krypton to register and connect to AWS IoT using MQTTS.


Project Installation

Download the Krypton Example Project for NodeJS to your device and extract it. This will create a /kryptonExamples directory containing an iot-bootstrap.js NodeJS project file.

Open the /kryptonExamples directory and install package dependencies:

npm install

Authentication Method

The iot-bootstrap.js file expects a krypton-iot script which will perform device authentication. Our example project includes the following authentication scripts:

Let's make a symlink for one of these scripts:

ln -sf krypton-iot-cellular krypton-iot

If using Air authentication, ensure that your modem is connected.

If using Endorse authentication, you will also need to download and extract the corresponding Krypton Client to the same /kryptonExamples directory. Refer to the Krypton Overview documentation and Krypton Client repositories for installation requirements and instructions.


Now let's run the iot-bootstrap.js script:

node iot-bootstrap.js

As the script runs, it will perform the following:

Once the device has connected to AWS IoT, the NodeJS script will output connect. You can test connectivity by publishing a message to the test topic topic_1, and observing that the device is able to receive the message.