Authenticating clients while offline - Amazon IoT Greengrass
Storing client credentials
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authenticating clients while offline

With offline authentication you can configure your Amazon IoT Greengrass Core device so that client devices can connect to a core device, even when the core device isn't connected to the cloud. When you use offline authentication, your Greengrass devices can continue to work in a partially offline environment.

To use offline authentication for a client device with a connection to the cloud, you need the following:

  • An Amazon IoT Greengrass Core device with the Client device auth component deployed. You must use version 2.3.0 or greater for offline authentication.

  • A cloud connection for the core device during the initial connection of client devices.

Storing client credentials

When a client device connects to a core device for the first time, the core device calls the Amazon IoT Greengrass service. When called, Greengrass validates the client device's registration as an Amazon IoT thing. It also validates that the device has a valid certificate. The core device then stores this information locally.

The next time that the device connects, the Greengrass core device attempts to validate the client device with the Amazon IoT Greengrass service. If it can't connect to Amazon IoT Greengrass, the core device uses its locally stored device information to validate the client device.

You can configure the length of time that the Greengrass core device stores credentials. You can set the timeout from one minute to 2,147,483,647 minutes by setting the clientDeviceTrustDurationMinutes configuration option in the client device auth component configuration. The default is one minute, which effectively turns off offline authentication. When you set this timeout, we recommend that you consider your security needs. You should also consider how long you expect core devices to run while disconnected from the cloud.

The core device updates its credential storage at three times:

  1. When a device connects to the core device for the first time.

  2. If the core device is connected to the cloud, when a client device reconnects to the core device.

  3. If the core device is connected to the cloud, once a day to refresh the entire credential store.

When the Greengrass core device refreshes its credential store, it uses the ListClientDevicesAssociatedWithCoreDevice operation. Greengrass only refreshes the devices returned by this operation. To associate a client device with a core device, see Associate client devices.

To use the ListClientDevicesAssociatedWithCoreDevice operation, you must add permission for the operation to the Amazon Identity and Access Management (IAM) role associated with the Amazon Web Services account that runs Amazon IoT Greengrass. For more information, see Authorize core devices to interact with Amazon services.