Create and Register Fleets and Authenticate Devices

In this section you will create your Amazon IoT thing object, create a device fleet, register your device fleet so it can interact with the cloud, create X.509 certificates to authenticate your devices to Amazon IoT Core, associate the role alias with Amazon IoT that was generated when you created your fleet, get your Amazon account-specific endpoint for the credentials provider, get an official Amazon Root CA file, and upload the Amazon CA file to Amazon S3.

Create Amazon IoT things.

SageMaker Edge Manager takes advantage of the Amazon IoT Core services to facilitate the connection between the edge devices and endpoints in the Amazon cloud. You can take advantage of existing Amazon IoT functionality after you set up your devices to work with Edge Manager.

To connect your device to Amazon IoT, you need to create Amazon IoT thing objects, create and register a client certificate with Amazon IoT, and create and configure the IAM role for your devices.

First, create Amazon IoT thing objects with the Amazon IoT client (iot_client) you created earlier with Boto3. The following example shows how to create two thing objects:
```
iot_thing_name = 'sample-device'
iot_thing_type = 'getting-started-demo'

iot_client.create_thing_type(
    thingTypeName=iot_thing_type
)

# Create an Amazon IoT thing objects
iot_client.create_thing(
    thingName=iot_thing_name,
    thingTypeName=iot_thing_type
)
```

Create your device fleet.

Create a device fleet with the SageMaker client object defined in a previous step. You can also use the SageMaker console to create a device fleet.


import time
device_fleet_name="demo-device-fleet" + str(time.time()).split('.')[0]
device_name="sagemaker-edge-demo-device" + str(time.time()).split('.')[0]

Specify your IoT role ARN. This lets Amazon IoT grant temporary credentials to devices.


device_model_directory='device_output'
s3_device_fleet_output = 's3://{}/{}'.format(bucket, device_model_directory)

sagemaker_client.create_device_fleet(
    DeviceFleetName=device_fleet_name,
    RoleArn=iot_role_arn, # IoT Role ARN specified in previous step
    OutputConfig={
        'S3OutputLocation': s3_device_fleet_output
    }
)

An Amazon IoT role alias is created when you create a device fleet. This role alias is associated with Amazon IoT using the iot_client object in a later step.

Register your device fleet.

To interact with the cloud, you need to register your device with SageMaker Edge Manager. In this example, you register a single device with the fleet you created. To register the device, you need to provide a device name and the Amazon IoT thing name as shown in the following example:
```
# Device name should be 36 characters
device_name = "sagemaker-edge-demo-device" + str(time.time()).split('.')[0]

sagemaker_client.register_devices(
    DeviceFleetName=device_fleet_name,
    Devices=[
        {
            "DeviceName": device_name,
            "IotThingName": iot_thing_name
        }
    ]
)
```

Create X.509 certificates.

After creating the Amazon IoT thing object, you must create a X.509 device certificate for your thing object. This certificate authenticates your device to Amazon IoT Core.

Use the following to create a private key, public key, and a X.509 certificate file using the Amazon IoT client defined (iot_client) earlier.


# Creates a 2048-bit RSA key pair and issues an X.509 # certificate 
# using the issued public key.
create_cert = iot_client.create_keys_and_certificate(
    setAsActive=True 
)

# Get certificate from dictionary object and save in its own
with open('./device.pem.crt', 'w') as f:
    for line in create_cert['certificatePem'].split('\n'):
        f.write(line)
        f.write('\n')
# Get private key from dictionary object and save in its own 
with open('./private.pem.key', 'w') as f:
    for line in create_cert['keyPair']['PrivateKey'].split('\n'):
        f.write(line)
        f.write('\n')
# Get a private key from dictionary object and save in its own 
with open('./public.pem.key', 'w') as f:
    for line in create_cert['keyPair']['PublicKey'].split('\n'):
        f.write(line)
        f.write('\n')

Associate the role alias with Amazon IoT.

When you create a device fleet with SageMaker (sagemaker_client.create_device_fleet()), a role alias is generated for you. An Amazon IoT role alias provides a mechanism for connected devices to authenticate to Amazon IoT using X.509 certificates, and then obtain short-lived Amazon credentials from an IAM role that is associated with an Amazon IoT role alias. The role alias allows you to change the role of the device without having to update the device. Use DescribeDeviceFleet to get the role alias name and ARN.
```
# Print Amazon Resource Name (ARN) and alias that has access 
# to Amazon Internet of Things (IoT).
sagemaker_client.describe_device_fleet(DeviceFleetName=device_fleet_name)

# Store iot role alias string in a variable
# Grabs role ARN
full_role_alias_name = sagemaker_client.describe_device_fleet(DeviceFleetName=device_fleet_name)['IotRoleAlias']
start_index = full_role_alias_name.find('SageMaker') # Find beginning of role name  
role_alias_name = full_role_alias_name[start_index:] 
```
Use the iot_client to facilitate associating the role alias generated from creating the device fleet with Amazon IoT:
```
role_alias = iot_client.describe_role_alias(
                    roleAlias=role_alias_name)
```
For more information about IAM role alias, see Role alias allows access to unused services .

You created and registered a certificate with Amazon IoT earlier for successful authentication of your device. Now, you need to create and attach a policy to the certificate to authorize the request for the security token.
```
alias_policy = {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "iot:AssumeRoleWithCertificate",
    "Resource": role_alias['roleAliasDescription']['roleAliasArn']
  }
}

policy_name = 'aliaspolicy-'+ str(time.time()).split('.')[0]
aliaspolicy = iot_client.create_policy(policyName=policy_name,
                                       policyDocument=json.dumps(alias_policy))

# Attach policy
iot_client.attach_policy(policyName=policy_name,
                            target=create_cert['certificateArn'])
```

Get your Amazon account-specific endpoint for the credentials provider.

Edge devices need an endpoint in order to assume credentials. Obtain your Amazon account-specific endpoint for the credentials provider.


# Get the unique endpoint specific to your Amazon account that is making the call.
iot_endpoint = iot_client.describe_endpoint(
    endpointType='iot:CredentialProvider'
)

endpoint="https://{}/role-aliases/{}/credentials".format(iot_endpoint['endpointAddress'],role_alias_name)

Get the official Amazon root CA file and upload it to the Amazon S3 bucket.

Use the following in your Jupyter Notebook or Amazon CLI (if you use your terminal, remove the ‘!’ magic function):
```
!wget https://www.amazontrust.com/repository/AmazonRootCA1.pem
```
Use the endpoint to make an HTTPS request to the credentials provider to return a security token. The following example command uses curl, but you can use any HTTP client.
```
!curl --cert device.pem.crt --key private.pem.key --cacert AmazonRootCA1.pem $endpoint
```
If the certificate is verified, upload the keys and certificate to your Amazon S3 bucket URI:
```
!aws s3 cp private.pem.key s3://{bucket}/authorization-files/
!aws s3 cp device.pem.crt s3://{bucket}/authorization-files/
!aws s3 cp AmazonRootCA1.pem s3://{bucket}/authorization-files/
```
Clean your working directory by moving your keys and certificate to a different directory:
```
# Optional - Clean up working directory
!mkdir authorization-files
!mv private.pem.key device.pem.crt AmazonRootCA1.pem authorization-files/
```

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Train, Compile, and Package Your Model

Download and Set Up Edge Manager