aws-samples / aws-iot-device-management-workshop Goto Github PK

Following the Create a job step of the IoT Jobs part of the workshop, there is a moment where the user is asked to run a daemon and open another terminal.

The next step after opening the terminal, is running Copy the job document to your S3 Bucket:

aws s3 cp job-document.json s3://$S3_BUCKET/

However, opening a new terminal, brings the user to the home directory, which is not containing the job-document.json file, giving the error on the command.

The solution is to put a note to repeat the cd ~/job-agent before that one.

After adding temperature and room number with command fleet-indexing.py -b bulky, the next step is to check whether this attributes have been actually added to things.

The command to do that is the following one:

aws iot search-index --query-string "thingName\:bulky*"

However, the backslash on the colon is wrong, the command should be:

aws iot search-index --query-string "thingName:bulky*"

A similar problem is present in the Connectivity indexing and Getting statistics on this command:

aws iot search-index --index-name "AWS_Things" --query-string "thingName\:bulkyXX"

should be:

aws iot search-index --index-name "AWS_Things" --query-string "thingName:bulkyXX"

and

aws iot get-statistics --query-string "connectivity.connected\:true"

should be:

aws iot get-statistics --query-string "connectivity.connected:true"

I am trying to connect to IoT using job-agent.py script. It is running fine on my MacBook as a IoT thing but it is throwing error on my Raspberry Pi as a thing. Can you help me out with this?

Error:

Traceback (most recent call last):
File "/home/pi/ruxin/jobAgent.py", line 194, in
myAWSIoTMQTTClient.connect()
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/MQTTLib.py", line 513, in connect
return self._mqtt_core.connect(keepAliveIntervalSecond)
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/core/protocol/mqtt_core.py", line 196, in connect
self.connect_async(keep_alive_sec, self._create_blocking_ack_callback(event))
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/core/protocol/mqtt_core.py", line 223, in connect_async
raise e
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/core/protocol/mqtt_core.py", line 211, in connect_async
rc = self._internal_async_client.connect(keep_alive_sec, ack_callback)
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/core/protocol/internal/clients.py", line 122, in connect
rc = self._paho_client.connect(host, port, keep_alive_sec)
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py", line 665, in connect
return self.reconnect()
File "/home/pi/.local/lib/python3.5/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py", line 826, in reconnect
ciphers=self._tls_ciphers)
File "/usr/lib/python3.5/ssl.py", line 1077, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python3.5/ssl.py", line 760, in init
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 996, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 641, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)

In this link:
https://github.com/aws-samples/aws-iot-device-management-workshop/blob/master/AWS_IoT_Device_Management_Workshop.md#JITR

We followed it run
attach the provisioning template (stored in the variable $TB) to the CA certificate
aws iot update-ca-certificate --certificate-id $CA_CERTIFICATE_ID
--no-remove-auto-registration
--new-auto-registration-status ENABLE
--registration-config "{"templateBody": "$TB","roleArn": "$ARN_IOT_PROVISIONING_ROLE"}"

but the cli showed
An error occurred (InvalidRequestException) when calling the UpdateCACertificate operation: Invalid registration template. Neither policyName nor policyDocument is present in the Template.

How to solve it?

We are a security research team and we recently discovered that there is an over-authorization security issue with this project's IoT policy.
The affected file is as following:

1. aws-iot-device-management-workshop/cfn/cfn-iot-dm-w.json

In the AWS IoT Core settings -> Enable logging part of the workshop, there is a sentence asking to prepare an ARN to enable loggin. The sentence is the following one:

The role arn looks similar to arn\:aws\:iam::AWS_ACCOUNT_ID\:role/DeviceManagementWorkshop-MiscResour-IoTServiceRole--UNIQUE_STRING

However, the backslashes are misleading, they should be removed, resulting in:

The role arn looks similar to arn:aws:iam::AWS_ACCOUNT_ID:role/DeviceManagementWorkshop-MiscResour-IoTServiceRole--UNIQUE_STRING

In the saving certificate command of this section, there is a syntax error on this command:

echo -e [CERTIFICATE_PEM] > $THING_NAME.crt

It should be:

echo -e '[CERTIFICATE_PEM]' > $THING_NAME.crt

Missing quotes creates a wrong pem format, not recognized in the mosquitto_pub command.

On an EC2 instance launched from the cloudformation template in this workshop:

[ec2-user@ip-192-168-128-67 ~]$ mosquitto_pub --cafile ~/root.ca.bundle.pem   --cert $THING_NAME.certificate.pem   --key $THING_NAME.private.key -h $IOT_ENDPOINT -p 8883   -q 0 -t iot/ws -i $THING_NAME --tls-version tlsv1.2   -m "{\"prov\": \"first\", \"date\": \"$(date)\"}" -d
-bash: mosquitto_pub: command not found
[ec2-user@ip-192-168-128-67 ~]$ mosquitto_pub
-bash: mosquitto_pub: command not found
[ec2-user@ip-192-168-128-67 ~]$ sudo yum -y install mosquitto-clients
Loaded plugins: priorities, update-motd, upgrade-helper
No package mosquitto-clients available.
Error: Nothing to do
[ec2-user@ip-192-168-128-67 ~]$