Using Javascript/Nodejs how does one programmatically get a temporary provisioning claim certificate to send to the IoT device by a trusted user/installer? I have a Provisioning Template already created in my IoT Core and I can manually add it to the device, but I need a way to do it programmatically. AWS's documentation seems incredibly vague and void of examples.
Create a user with appropriate access on AWS
Obtain user’s aws_access_key_id and aws_secret_access_key
Configure, Build, and Run Javascript AWS SDK
Get the Temporary Provisioning Certificate
https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#trusted-user
Log into AWS as root user or IAM user with the ability to create IAM users.
At the Services menu on the top menu search “IAM”
Select the IAM service in the populated list
Select in the left-hand navigation Access Management > Policies
Select Create Policy
Select JSON tab
Inside the "Statement": [ ] array paste the following code, adjusting the REGION, ACCOUNT NUMBER, and TEMPLATE NAME data:
{
"Effect": "Allow",
"Action": [
"iot:CreateProvisioningClaim"
],
"Resource": [
"arn:aws:iot:REGION:ACCOUNT NUMBER:provisioningtemplate/TEMPLATE NAME"
]
}
*Reference: https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#trusted-user
*It should be noted that at the time of this writing the code example in the AWS docs (see URL above) is missing the service field “iot” in arn:aws:iot:us-east-1… (pull request submitted for changes 5/20/2022)
Select Next:Tags
Add appropriate tags/descriptions
Select Next:Review
Name it IoTCreateProvisioningClaim and add a memorable description
Select Create Policy
Select in the left-hand navigation Access Management > User groups
Select Create group
Name the group "IoTThingsRegistrars” and give it the AWSIoTThingsRegistration and the newly created IoTCreateProvisioningClaim permissions by searching them in the Attach permissions policies - Optional section and selecting the checkbox next to them.
Click Create group at the bottom of the page
Select in the left-hand navigation Acess Management > Users
Select Add users
Name the new user “ProgrammaticIoTThingsRegistrar”
Under Select AWS access type select the Access key - Programmatic access checkbox only
Select Next: Permissions
With “Add user to group” box selected, select the newly created IoTThingsRegistrars group checkbox
Select Next: Tags
Add any descriptive tags
Select Next: Review
Select Create user
Observe that you now have access to the Access Key ID and Secret Access Key
aws_access_key_id and aws_secret_access_keySave in a secure location the Access Key ID and Secret Access Key (Download CSV)
https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/configuring-the-jssdk.html
Install Nodejs v14+
A Provisioning Template that’s already created in AWS IoT Core.
In your preferred CLI create a directory called IoTProvisioningExample
mkdir IoTProvisioningExample
cd IoTProvisioningExample
Add the AWS SDK Client IoT to your project
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-iot/index.html#installing
npm install @aws-sdk/client-iot
Create a file to add the provisioning code
nano index.js
In index.js paste in the following code:
import { IoTClient, CreateProvisioningClaimCommand } from "@aws-sdk/client-iot";
const client = new IoTClient({ region: "us-east-1" }); // your correct region
const input = {
templateName: 'provisioning\_template\_created\_in\_step3\_prerequisites'
}
const command = new CreateProvisioningClaimCommand(input);
const response = await client.send(command);
console.log(response);
Place aws_access_key_id and aws_secret_access_key in a location where the Javascript AWS SDK can automatically find them respective to your operating system, Environment Variables File, or EC2 instance.
https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-node-credentials-environment.html
For example, if using windows:
cd /c/Users/'User Name'/
mkdir .aws
In this directory create 2 new files without extensions (like .txt or .js) simply named config and credentials
In .aws/credentials add and save:
[default]
aws_access_key_id = <YOUR_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_SECRET_ACCESS_KEY>
In .aws/config add and save:
[default]
region = <YOUR_REGION> // us-east-1
Return to your application directory and run:
node index.js
You should get a response like:
{
'$metadata': {
httpStatusCode: 200,
requestId: '62f6e183-ae40-\*\*\*\*-94d0-8ca25k31e4a70',
extendedRequestId: undefined,
cfId: undefined,
attempts: 1,
totalRetryDelay: 0
},
certificateId: {
// pems, private keys, etc
}
}