Demonstrate how to use fleet provisioning via non-standard MQTT API to circumvent the 2k buffer size limit in the nRF9160 modem
For example using direnv, export these environment variables
export AWS_ACCESS_KEY_ID=...
export AWS_REGION=...
npm ci
npx cdk bootstrap # Only needed once per AWS account and region
npx cdk deploy
These credentials are to be used for the provisioning only, they cannot be used for regular AWS IoT thing operations. They are intended to be provisioned to many devices.
Run this command to create a new set of credentials, and attach the policy that allows devices to request new certificates:
npx tsx create-provision-certificate.ts
Run the command to connect using the provisioning credentials created above:
npx tsx provision.ts <certificate ID>
This will connect to the AWS IoT broker using a random device ID, and publish a
blank message to the topic certificate/${deviceId}/create
The lambda function that receives this message, will create a new certificate and keypair, attach the policy for provisioned devices to the certificate, create a Thing for the device, and attach the certificate to the Thing.
It then publishes the private key on the topic
, and the certificate on the topic
The messages can be received by any client that has access to the provisioning credentials. If these credentials are compromised, an attacker can acquire new valid credentials to connect as a trusted device, and prevent genuine devices from connecting.
Finally, run this command to connect with credentials created during the provisioning step:
npx tsx connect.ts <device ID>