Azure IoT Hub - Generating the SAS Token connection string
IoT devices identify themselves by presenting credentials when they connect to an IoT hub. Unique credentials are burned into each IoT device.
The simplest way to prototype IoT Hub connected devices is to use Shared Access Signature Tokens. SAS Tokens are created by signing configuration information with the device's symmetric key that was generated when the device was provisioned in the IoT hub. There are several different ways to manage device credentials on the device itself.
- Embed the Symmetric key in the device and have the device generate the token. This has the advantage of letting the device refresh its tokens. It has the disadvantage that the symmetric key has been installed on a device that you can lose control of.
- Embed the SAS Token directly in your device if the device does not have a library to generate them. This has the advantage of not needing the signing library. It has the disadvantage that you have hard-coded a future death date into the device with a fixed expiration date.
- Embed credentials to some other service that generates SAS tokens. The IoT device requests new tokens as they expire. This has the disadvantage that you must have a second set of credentials and credentials service. It has the advantage that IoT Hub secrets are not permanently installed in the device.
Portal Workflow for prototyping.
The Azure Portal GUI does not provide a UI for IoT device SAS Token generation. The Azure IoT Explorer (pre-release) app does provide a UI to generate SAS tokens.
The UI workflow for creating IoTHub devices and their associated SAS tokens are as follows:
- Create an IoT Hub in the Azure Portal
- Create a Device in the IoT Hub in the Azure Portal
- Find the IoT Hub admin connection string and credentials in Azure Portal
- Generate IoT SAS token using Azure IoT Explorer specifying the expiry time in the number of minutes since the epoch.
- Embed that SAS token in your IoT device - not shown above.
Video
Open IoT Hub in the Azure Portal
Start the Create IoT Hub wizard
Create an IoT Hub in the Azure Portal
Enter a hub name and resource group
Make sure the device can reach the IoT Hub
Pick the Tier
Shared Access Policy + RBAC
Make it so!
Open the IoT Hub in the Azure Portal
Create a Device in the IoT Hub
Symmetric Keys are the simplest
Examine the newly created Device
Credentials and keys
Find the Hub's credentials for CLI or Explorer
Shared Access Policies
Credential string for this role for this hub
Expose connection string used to manipulate the hub
Generate SAS Token using AWS IOT Explorer
Connect to the IoT Hub using the connection String
Navigate to the Device
Select the Device
Generate the Connection string with embedded SAS Token
SAS - From the Docs
-
{signature}
An HMAC-SHA256 signature string. For individual enrollments, this signature is produced by using the symmetric key (primary or secondary) to perform the hash. For enrollment groups, a key derived from the enrollment group key is used to perform the hash. The hash is performed on a message of the form: URL-encoded-resourceURI + "\n" + expiry. Important: The key must be decoded from base64 before being used to perform the HMAC-SHA256 computation. Also, the signature result must be URL-encoded. -
{resourceURI}
URI of the registration endpoint that can be accessed with this token, starting with scope ID for the Device Provisioning Service instance. For example, {Scope ID}/registrations/{Registration ID} -
{expiry}
UTF8 strings for number of seconds since the epoch 00:00:00 UTC on 1 January 1970. -
{URL-encoded-resourceURI}
Lower case URL-encoding of the lower case resource URI -
{policyName}
The name of the shared access policy to which this token refers. The policy name used when provisioning with symmetric key attestation is registration.
Comments
Post a Comment