Overview
It is one of the device provisioning ways by AWS for provisioning a device and install unique certificates on it. Devices get shipped with a claim certificate and private key embedded in them. The claim certificate and the private key are shared by all of the devices, it serves a special purpose.
The device uses the claim certificate to generate a unique certificate and its associated private key. It then gets registered as a thing by the associated provisioning template on AWS IoT.
Provisioning setup
- Create a policy for the claim certificate
- Create a claim certificate & attach its policy
- Create a fleet policy
- Create provisioning template
Provisioning setup
Create a policy for the claim certificate
Sign in to the AWS Management Console, open the AWS IoT consoleIn the left navigation pane, choose Secure , choose Policies, and then click Create . Enter a name for the AWS IoT policy (for example, esp32_claim_policy
).- In the Add Statements, select Advanced Mode.
- Copy the Policy for claim certificate: JSON shown below and replace the following values
<aws-region>, <aws-account-id>
with your AWS region, account number. - Provide a unique
<templateName>
(for example, ). Note it down the for further use on console as well as device.esp32_fleet_prov_template
Click Create.
Policy for claim certificate:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/certificates/create/*", "arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/provisioning-templates/<templateName>/provision/*" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/certificates/create/*", "arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/provisioning-templates/<templateName>/provision/*" ] } ] }
Create a claim certificate & attach its policy
Open the AWS IoT consoleIn the left navigation pane, choose Secure , choose Certificates , and then click Create . Choose One-click certificate creation (recommended) – Create certificate . From the Certificate created! page, download the client certificate files, public key, private key, and Amazon Root CA(
) certificate to a secure location.Amazon Root CA 1 Choose Activateto activate the client certificate now. - Choose Attach policy, search for the policy created in the earlier section (
esp32_claim_policy
). Choose Done.
Create a fleet policy
Open the AWS IoT consoleIn the left navigation pane, choose Secure , choose Policies , and then click Create . Enter a name for the AWS IoT policy (for example, esp32_fleet_policy ). - In the Add Statements, select Advanced Mode.
- Copy Policy for the fleet: JSON shown below and replace the following values
<aws-region> & <aws-account-id>
with your AWS region and account number.
Policy for the fleet:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" } ] }
Create a Fleet Provisioning Template
Open the AWS IoT consoleIn the left navigation pane, choose Connect , choose Fleet provisioning templates , and then click Create . - Click Get Started.
- In the Create your template page
- Enter template name used earlier section
( esp32_fleet_prov_template ) and description. - In the Provisioning Role
- Click Create Role, then provide a name to the provisioning role
(for example, esp32_fleet_prov_role ) - Under Optional Settings, check the Use the AWS IoT registry to manage your device fleet option
- Click Next
- In the Define AWS IoT policies page
- Select Use an existing AWS IoT policy
- In the Search policies, enter the fleet policy name (
esp32_fleet_policy
) created in the previous section - Click Next
- In the Define AWS IoT registry settings
- Add Thing name prefix (for example,
esp32dkc_)
- (Optional) In the Select a group
- Add a group name (for example,
esp32dkc_group
), and thenclick Create thing group. Click Create template.- In the Give certificates or users permission to provision devices
- In Use provisioning claim, select Use a certificate previously generated by AWS IoT
- Select the claim certificate created in the earlier section
- Note: Don’t click Attach Policy, as we have already linked in previous sections. Otherwise, the certificate will have a duplicate policy attached.
- Click Enable template
- Click Close