Tutorial: Provisioning your device in Amazon IoT
This section creates the Amazon IoT Core resources that your tutorial will use.
Steps to provision your device in Amazon IoT
Step 1: Create an Amazon IoT policy for the Device Shadow
X.509 certificates authenticate your device with Amazon IoT Core. Amazon IoT policies are attached to the certificate that permits the device to perform Amazon IoT operations, such as subscribing or publishing to MQTT reserved topics used by the Device Shadow service. Your device presents its certificate when it connects and sends messages to Amazon IoT Core.
In this procedure, you'll create a policy that allows your device to perform the Amazon IoT operations necessary to run the example program. We recommend that you create a policy that grants only the permissions required to perform the task. You create the Amazon IoT policy first, and then attach it to the device certificate that you'll create later.
To create an Amazon IoT policy
-
On the left menu, choose Secure, and then choose Policies. If your account has existing policies, choose Create, otherwise, on the You don’t have a policy yet page, choose Create a policy.
-
On the Create a policy page:
-
Enter a name for the policy in the Name field (for example,
My_Device_Shadow_policy
). Do not use personally identifiable information in your policy names. -
In the policy document, you describe connect, subscribe, receive, and publish actions that give the device permission to publish and subscribe to the MQTT reserved topics.
Copy the following sample policy and paste it in your policy document. Replace
thingname
with the name of the thing that you'll create (for example,My_light_bulb
),region
with the Amazon IoT Region where you're using the services, andaccount
with your Amazon Web Services account number. For more information about Amazon IoT policies, see Amazon IoT Core policies.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/get", "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/update" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/get/accepted", "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/get/rejected", "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/update/accepted", "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/update/rejected", "arn:aws:iot:region:account:topic/$aws/things/thingname/shadow/update/delta" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:region:account:topicfilter/$aws/things/thingname/shadow/get/accepted", "arn:aws:iot:region:account:topicfilter/$aws/things/thingname/shadow/get/rejected", "arn:aws:iot:region:account:topicfilter/$aws/things/thingname/shadow/update/accepted", "arn:aws:iot:region:account:topicfilter/$aws/things/thingname/shadow/update/rejected", "arn:aws:iot:region:account:topicfilter/$aws/things/thingname/shadow/update/delta" ] }, { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:region:account:client/test-*" } ] }
-
Step 2: Create a thing resource and attach the policy to the thing
Devices connected to Amazon IoT can be represented by thing resources in the Amazon IoT registry. A thing resource represents a specific device or logical entity, such as the light bulb in this tutorial.
To learn how to create a thing in Amazon IoT, follow the steps described in Create a thing object. Here are some key things to note as you follow the steps in that tutorial:
-
Choose Create a single thing, and in the Name field, enter a name for the thing that is the same as the
thingname
(for example,My_light_bulb
) you specified when you created the policy earlier.You can't change a thing name after it has been created. If you gave it a different name other than
thingname
, create a new thing with name asthingname
and delete the old thing.Note
Do not use personally identifiable information in your thing name. The thing name can appear in unencrypted communications and reports.
-
We recommend that you download each of the certificate files on the Certificate created! page into a location where you can easily find them. You'll need to install these files for running the sample application.
We recommend that you download the files into a
certs
subdirectory in yourhome
directory on the Raspberry Pi and name each of them with a simpler name as suggested in the following table.Certificate file names File
File path
Root CA certificate
~/certs/Amazon-root-CA-1.pem
Device certificate
~/certs/device.pem.crt
Private key
~/certs/private.pem.key
-
After you activate the certificate to enable connections to Amazon IoT, choose Attach a policy and make sure you attach the policy that you created earlier (for example,
My_Device_Shadow_policy
) to the thing.After you've created a thing, you can see your thing resource displayed in the list of things in the Amazon IoT console.
Step 3: Review the results and next steps
In this tutorial, you learned how to:
-
Set up and configure the Raspberry Pi device.
-
Create an Amazon IoT policy document that authorizes your device to interact with Amazon IoT services.
-
Create a thing resource and associated X.509 device certificate, and attach the policy document to it.
Next steps
You can now install the Amazon IoT device SDK for Python, run the shadow.py
sample application, and use Device Shadows to control the state. For more information
about how to run this tutorial, see Tutorial: Installing the Device SDK and running
the sample application for Device Shadows.