Azure IoT Hub - Generating the SAS Token connection string

IoT devices identify themselves by presenting credentials when they connect to an IoT hub.  Unique credentials are burned into each IoT device.

The simplest way to prototype IoT Hub connected devices is to use Shared Access Signature Tokens.  SAS Tokens are created by signing configuration information with the device's symmetric key that was generated when the device was provisioned in the IoT hub. There are several different ways to manage device credentials on the device itself.

  1. Embed the Symmetric key in the device and have the device generate the token. This has the advantage of letting the device refresh its tokens. It has the disadvantage that the symmetric key has been installed on a device that you can lose control of.
  2. Embed the SAS Token directly in your device if the device does not have a library to generate them. This has the advantage of not needing the signing library. It has the disadvantage that you have hard-coded a future death date into the device with a fixed expiration date.
  3. Embed credentials to some other service that generates SAS tokens.  The IoT device requests new tokens as they expire.  This has the disadvantage that you must have a second set of credentials and credentials service.  It has the advantage that IoT Hub secrets are not permanently installed in the device.
Embedding a long-lived token may be the simplest way to prototype on some devices.

Portal Workflow for prototyping.

The Azure Portal GUI does not provide a UI for IoT device SAS Token generation. The Azure IoT Explorer (pre-release) app does provide a UI to generate SAS tokens.

The UI workflow for creating IoTHub devices and their associated SAS tokens are as follows:

  1. Create an IoT Hub in the Azure Portal
  2. Create a Device in the IoT Hub in the Azure Portal
  3. Find the IoT Hub admin connection string and credentials in Azure Portal
  4. Generate IoT SAS token using Azure IoT Explorer specifying the expiry time in the number of minutes since the epoch.
  5. Embed that SAS token in your IoT device - not shown above.
Azure CLI tools and Azure SDKs can also generate SAS Tokens. They may be better suited when provisioning multiple devices.


Open IoT Hub in the Azure Portal

The next couple sections walk you through that workflow.

Start the Create IoT Hub wizard

Create an IoT Hub in the Azure Portal

Enter a hub name and resource group

Make sure the device can reach the IoT Hub

Pick the Tier 

Shared Access Policy + RBAC

Make it so!

Open the IoT Hub in the Azure Portal

Create a Device in the IoT Hub

Symmetric Keys are the simplest

Examine the newly created Device

Credentials and keys

Find the Hub's credentials for CLI or Explorer

Shared Access Policies

Credential string for this role for this hub

Expose connection string used to manipulate the hub

Generate SAS Token using AWS IOT Explorer

Connect to the IoT Hub using the connection String

Navigate to the Device

Select the Device

Generate the Connection string with embedded SAS Token

SAS - From the Docs

Microsoft describes symmetric key attestation as having the following form:

SharedAccessSignature sig={signature}&se={expiry}&skn={policyName}&sr={URL-encoded-resourceURI}

Here are the components of each token:
  • {signature}
    An HMAC-SHA256 signature string. For individual enrollments, this signature is produced by using the symmetric key (primary or secondary) to perform the hash. For enrollment groups, a key derived from the enrollment group key is used to perform the hash. The hash is performed on a message of the form: URL-encoded-resourceURI + "\n" + expiry. Important: The key must be decoded from base64 before being used to perform the HMAC-SHA256 computation. Also, the signature result must be URL-encoded.
  • {resourceURI}
    URI of the registration endpoint that can be accessed with this token, starting with scope ID for the Device Provisioning Service instance. For example, {Scope ID}/registrations/{Registration ID}
  • {expiry}
    UTF8 strings for number of seconds since the epoch 00:00:00 UTC on 1 January 1970.
  • {URL-encoded-resourceURI}
    Lower case URL-encoding of the lower case resource URI
  • {policyName}
    The name of the shared access policy to which this token refers. The policy name used when provisioning with symmetric key attestation is registration.

Other Methods

Certificates and trust enclaves provide can be used where a higher level of security is required. Unique certificates are burned into each device.  Those certificates are registered/paired with device definitions. Secure enclaves make it harder to change the identity of the device.


Created 11/2021


Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs