Configuration

Enabling Krypton will incur fees based on the number of devices that use the service. Refer to the Pricing & Fee Schedule for more information.

Soracom Krypton settings are found in Soracom Air for Cellular group settings.

As Krypton will connect with AWS IoT or Amazon Cognito during provisioning, Krypton requires programmatic access to your AWS account using an Access key ID and Secret access key. For security, the Access key ID and Secret access key should be generated for an AWS IAM user which contains only the permissions necessary for credential provisioning.

As the required permissions vary depending on the Service Provider, follow the corresponding instructions for setting up the Access key ID and Secret access key with the appropriate permissions:

Once you have generated an Access key ID and Secret access key, proceed with Krypton configuration:

  1. Login to the User Console. Click your account menu, then select Security.

  2. Click the Credentials tab, then click the Register a credentials set button.

    https://console.soracom.io

    Register credentials

  3. Enter a Credentials set ID, and select AWS credentials as the Type. Then enter the AWS Access Key ID and AWS Secret Access Key, and click the Register button.

    Register AWS credentials

With the credential set registered, you can configure Krypton:

  1. From the Menu, open the Groups screen.

  2. From the list of groups, click the name of the group you want to configure to open its settings page.

  3. From the Basic Settings tab, click the SORACOM Krypton panel to expand its settings.

  4. Enable Krypton by switching the option to ON.

    Krypton configuration

  5. Click the button and select the provisioning Service Provider. Enter the configuration parameters required:

    • AWS IoT configuration

      • Region - The AWS IoT region used, such as us-east-1.
      • Credentials set - The AWS credentials configured earlier.
      • Policy name - The AWS IoT policy name to assign to a provisioned device.
      • Thing name pattern - The name to apply to a provisioned device if not specified by the device.
      • Host name - The AWS IoT endpoint host name.
    • Amazon Cognito configuration
      • Region - The Amazon Cognito region used, such as us-east-1.
      • Credentials set - The AWS credentials configured earlier.
      • Identity pool ID - The Cognito identity pool used for device provisioning, such as us-east-1:abcdef00-0000-0000-0000-000012345678.
      • Developer provider name - krypton.soracom.io

    Then click the OK button.

  6. Click the Save button at the bottom of the panel.

Once Krypton has been enabled and configured, devices that use an Air for Cellular subscriber that belongs to the configured group will be able to access the Provisioning APIs.


Advanced Configuration

Krypton can also be configured through the Soracom API or CLI by using the SoracomKrypton namespace.

Configuration Structure

When configuring Krypton for use with AWS IoT, the group configuration will have the following structure:

"SoracomKrypton": {
  "enabled": true|false,
  "AwsIot": {
    "region": "us-east-1",
    "credentialsId": "my-aws-credentials",
    "policyName": "us-east-1:abcdef00-0000-0000-0000-000012345678",
    "thingNamePattern": "myDevice-$imsi",
    "host": "acbdef0012345678.iot.us-east-1.amazonaws.com"
  }
}

When configuring Krypton for use with Amazon Cognito, the group configuration will have the following structure:

"SoracomKrypton": {
  "enabled": true|false,
  "AmazonCognito": {
    "region": "us-east-1",
    "credentialsId": "my-aws-credentials",
    "identityPoolId": "us-east-1:abcdef00-0000-0000-0000-000012345678",
    "developerProviderName": "krypton.soracom.io"
  }
}

Parameters

Enable or disable Krypton:

Modify configuration parameters for use with AWS IoT:

Modify configuration parameters for use with Amazon Cognito:

Sample AWS IoT Configuration

[
  {
    "key": "enabled",
    "value": true
  },
  {
    "key": "AwsIot",
    "value": {
      "region": "us-east-1",
      "credentialsId": "my-aws-credentials",
      "policyName": "myThingPolicy",
      "thingNamePattern": "myDevice-$imsi",
      "host": "abcdef0012345678.iot.us-east-1.amazonaws.com"
     }
  }
]

Sample Amazon Cognito Configuration

[
  {
    "key": "enabled",
    "value": true
  },
  {
    "key": "AmazonCognito",
    "value": {
      "region": "us-east-1",
      "credentialsId": "my-aws-credentials",
      "identityPoolId": "us-east-1:abcdef00-0000-0000-0000-000012345678",
      "developerProviderName": "krypton.soracom.io"
    } 
  }
]