Upload the firmware file to an S3 bucket and add an IAM role - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Upload the firmware file to an S3 bucket and add an IAM role

You can use Amazon S3 to create a bucket, which is a container that can store your firmware update file. You can upload your file to the S3 bucket and add an IAM role that allows the CUPS server to read your update file from the bucket. For more information about Amazon S3, see Getting started with Amazon S3.

The firmware update file that you want to upload depends on the gateway you're using. If you followed a procedure similar to the one described in Generate the firmware update file and signature, you'll upload the fwstation file generated by running the scripts.

This procedure takes about 20 minutes to complete.

Create an Amazon S3 bucket and upload the update file

You'll create an Amazon S3 bucket by using the Amazon Web Services Management Console and then upload your firmware update file into the bucket.

Create an S3 bucket

To create an S3 bucket, open the Amazon S3 console. Sign in if you haven't already and then perform the following steps:

  1. Choose Create bucket.

  2. Enter a unique and meaningful name for the Bucket name, (for example, iotwirelessfwupdate). For recommended naming convention for your bucket, see https://docs.amazonaws.cn/AmazonS3/latest/userguide/bucketnamingrules.html.

  3. Make sure you selected the Amazon Web Services Region selected as the one you used to create your LoRaWAN gateway and device, and the Block all public access setting is selected so that your bucket uses the default permissions.

  4. Choose Enable for Bucket versioning which will help you keep multiple versions of the firmware update file in the same bucket.

  5. Confirm Server-side encryption is set to Disable and choose Create bucket.

Upload your firmware update file

You can now see your bucket in the list of Buckets displayed in the Amazon Web Services Management Console. Choose your bucket and complete the following steps to upload your file.

  1. Choose your bucket and then choose Upload.

  2. Choose Add file and then upload the firmware update file. If you followed the procedure described in Generate the firmware update file and signature, you'll upload the fwstation file, otherwise upload the file provided by your gateway manufacturer.

  3. Make sure all settings are set to their default. Make sure that Predefined ACLs is set to private and choose Upload to upload your file.

  4. Copy the S3 URI of the file you uploaded. Choose your bucket and you'll see the file you uploaded displayed in the list of Objects. Choose your file and then choose Copy S3 URI. The URI will be something like: s3://iotwirelessfwupdate/fwstation if you named your bucket similar to the example described previously (fwstation). You'll use the Amazon S3 URI when creating the IAM role.

Create an IAM role with permissions to read the S3 bucket

You'll now create an IAM role and policy that will give CUPS the permission to read your firmware update file from the S3 bucket.

Create an IAM policy for your role

To create an IAM policy for your Amazon IoT Core for LoRaWAN destination role, open the Policies hub of the IAM console and then complete the following steps:

  1. Choose Create policy, and choose the JSON tab.

  2. Delete any content from the editor and paste this policy document. The policy provides permissions to access the iotwireless bucket and the firmware update file, fwstation, stored inside an object.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListBucketVersions", "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::iotwirelessfwupdate/fwstation", "arn:aws:s3:::iotwirelessfwupdate" ] } ] }
  3. Choose Review policy, and in Name, enter a name for this policy (for example, IoTWirelessFwUpdatePolicy). You'll need this name to use in the next procedure.

  4. Choose Create policy.

Create an IAM role with the attached policy

You'll now create an IAM role and attach the policy created previously for accessing the S3 bucket. Open the Roles hub of the IAM console and complete the following steps:

  1. Choose Create role.

  2. In Select type of trusted entity, choose Another Amazon Web Services account.

  3. In Account ID, enter your Amazon Web Services account ID, and then choose Next: Permissions.

  4. In the search box, enter the name of the IAM policy that you created in the previous procedure. Check the IAM policy (for example, IoTWirelessFwUpdatePolicy) you created earlier in the search results and choose it.

  5. Choose Next: Tags, and then choose Next: Review.

  6. In Role name, enter the name of this role (for example, IoTWirelessFwUpdateRole), and then choose Create role.

Edit trust relationship of the IAM role

In the confirmation message displayed after you ran the previous step, choose the name of the role you created to edit it. You'll edit the role to add the following trust relationship.

  1. In the Summary section of the role you created, choose the Trust relationships tab, and then choose Edit trust relationship.

  2. In Policy Document, change the Principal property to look like this example.

    "Principal": { "Service": "iotwireless.amazonaws.com" },

    After you change the Principal property, the complete policy document should look like this example.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iotwireless.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
  3. To save your changes and exit, choose Update Trust Policy.

  4. Obtain the ARN for your role. Choose your IAM role and in the Summary section, you'll see a Role ARN, such as arn:aws:iam::123456789012:role/IoTWirelessFwUpdateRole. Copy this Role ARN.

Review the next steps

Now that you have created the S3 bucket and an IAM role that allows the CUPS server to read the S3 bucket, go to the next topic to schedule and run the firmware update. Keep the S3 URI and Role ARN that you copied previously so that you can enter them to create a task definition that will be run to perform the firmware update.