In the reference architectures for IOT Hub\Central you can easily see how the SAS or X509 Cert is used for device authentication. As an example, look at this MXChip OTA Example. (my notes in pink)
Reference Article: Azure MXChip IoT DevKit Firmware OTA (Over-the-Air)
When we extend out to other Azure Services, can you leverage this authentication for other actions such as downloading files for OTA.
The only approach I can come up with is either:
a) have the download endpoint be secure through obscurity (not great).
b) introduce a shim service and implement an additional authentication layer there.
A seems bad. B seems like a waste. I feel like I'm missing and option C or lack the right info on the Azure-way for this one.
Thanks!
The following are steps for a device download file from the Azure Storage blob container using the IoT Central App:
Configure your IoT Central App for Device file upload.
Upload to the configured storage blob container requested blob for its downloading by device (in my example: container=iotc, deviceId=device123, blobname=test.json)
Generate a device connection string, hostname and sasToken for your IoT Central App, see more implementation details here.
Based on the response from the step 3. use the REST POST request to the underlaying IoT Hub of your IoT Central App for a specific blob references, such as:
{
"correlationId":"****",
"hostName":"****.blob.core.windows.net",
"containerName":"iotc",
"blobName":"device123/test.json",
"sasToken":"?sv=2018-03-28&sr=b&sig=****&se=2021-01-20T10%3A26%3A59Z&sp=rw"
}
Based on the response from the step 4., download the blob using the REST GET request, see the following example:
https://****.blob.core.windows.net/iotc/device123/test.json?sv=2018-03-28&sr=b&sig=****&se=2021-01-20T10%3A26%3A59Z&sp=rw
Notify underlaying IoT Hub of your IoT Central App that the device ended the download process, see the REST POST request. Note, that the correlationId you will received in the step 4.
With regard to my original question about using the authenticated device session to access other Azure services, both in general and specifically for the purpose of downloading files for OTA. This is not possible.
You either need to implement an additional authentication mechanism and your own service, use the service specific SDK in your application or for the case of Blob Storage with firmware updates, use a publicly available download point.
Note: The answer from Roman shows how to upload and access an uploaded file. It may help some who will end up here.
Related
How can an IoT device which connects to an IoT Hub using the Azure IoT Hub SDK retrieve larger amounts of sensitive data which is part of the device configuration?
I know i can use Device Twins as configuration documents per Device, but those are limited to 8K in total.
I need larger amounts of data in binary format to be transfered to the device when i a device - for example - gets reset to factory defaults or somehow loses it's local storage as part of a hardware fault.
I was thinking about using a D2C method triggering a request which results in a series of C2D or direct method calls to the requesting device transmitting the information in question (basically mimiking request/response behavior). However this feels like a workaround.
My other thought was about transmitting urls to a storage account as part of the device twin properties allowing the device to download the binary information using the Storage SDK, however given the sensitive nature of the information downloaded i can't directly expose this information to the internet using a public accessible container in Azure Storage.
So my last thought was to access a REST API which controls access to the information. However my concern is, that i break out of the secure communication channel, the IoT Hub SDK provides with it's build in communication methods and i have to secure the communication between device and the REST API using some kind of rotating secret anyway which could expose other risks along with a complicated custom implementation.
What is the suggested way of providing access to this kind of device-specific data for Azure IoT Clients?
I do recommend to use a new feature (still in the preview) of the Azure IoT Hub such as a Device Streams.
You can test this new preview feature using my updated tool Azure IoT Hub Tester (see Appendix A2)
So, I am working on an IoT solution on Azure, we have been using a partner solution where we had the partner's devices linked to his cloud solution that exposes the data to us Via REST services. Right now we want to have our own IoT Cloud Solution on Azure.
At first, I am planning to build a Bridge between our IoT Solution and the partner's cloud solution via its REST Services that will link to our IoT Hub in order to ingest the data to our cloud.
Also, the data will not be only telemetry data but we'll have to send commands as well to those devices.
My question: I would like to know what would be the appropriate technology/solution to use a gateway (Data Grid, Azure Function, Azure WebJob)
The numbers in the picture represent the step that I am considering to tackle this problem.
1- First we are implementing an Application gateway that will have to get the data from the partner's system and sending commands to their system. It will allow us to first build the other components of our system and make sure that it can handle what is in place right now.
2- Second, the partner's devices will connect directly to a device gateway that is connected to our IoT Hub. In this case, we will not be using the gateway made in 1 anymore.
3- Finally, we will have our own devices connected to our IoT Hub, the partner's devices will always be connected to our IoT Hub via the gateway built in 2.
Let me try to answer your questions in the order you have asked.
For application gateway, where you are trying to pull data through
REST, you can use Azure functions and then you use Cosmos DB or any
storage to save data. I see , after getting device data from Partner
network, you are routing it to IoT-Hub (I would not say, its
incorrect), however once we pull data through Rest, we can directly
put into DB. So my Answer is to use Azure functions to pull data
from Partner solutions and put into DB.
If partner device is capable of running Azure IoT sdks or can be
provisioned to send data to IoT Hub directly, this will ease lot of
things and you would be able to send D2C and C2D messages easily.
further, here you can route data to DB by using configuration from
IoT Hub.
For your devices you can use IoT Hub Directly or can use Azure
IoT Edge (device gateway as you pointed ), both are fine , depends
on use case and also if we want to do some edge computation or
analytics at device side. And one important suggestions, use Azure
functions where ever you find that you have to integrate devices
data through Rest. Most cost effective in such scenarios.
Let me know if it clears your doubts.
After some time working on the subject, I did implement an AZURE Function app for the following reasons :
Supports Continuous Deployment and Integration Even though Azure Functions is serverless architecture, it still supports Continuous Deployment and Continuous Integration
Capabilities for implementing code - Being event-driven, the application platform has capabilities to implement code triggered by events occurring in any third-party service or on-premise system.
Compute-on-demand: This delivery model ensures that computing resources are available to the users as per their demand.
I have also used Azure Table Storage as database storage technology.
Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.
I am working on internet of things, in one of my current project I am reading the data from Azure IoT hub in a Windows 10 UWP app, where I am passing my IoT Hub connection string to azure while reading data( using Cloud to Device concept).
Is it secure/fine way or not reading data from a client app.
Thanks,
Pradeep
Yes. The library uses https, however the contents of the message is not encrypted, so if you're super-sceptical, just encrypt it before sending.
I am in the middle of developing services that will deal with media files (audio/video) . These services are responsible for uploading and then streaming media files uploaded by client (IOS, Android but not limited to these devices/platforms).
We are using node.js with mongodb as database. In the near future our services will be part of Azure. (Portions of our backend are already there in Azure)
In that case i came across Azure media services. I know that it does't have any sdk to work with for Node.js so my only option here is to use REST Service from Azure Media Services.
My question are:
1) Whats the correct approach adapted in this scenario by developers already handling this scenario. I am open for approaches/practices here and change what i am planning to do currently.
2)If i use Azure Media Services. How would my client calls my services (node.js) which acts as a proxy for calling REST Services for Azure Media Services. How will this exactly work and i have file in hand in my proxy to re-upload. Or i will internally direct my services so that internally it uploads to Media Services .
3)How these media files uploaded in media services are related to a record in MongoDB. Like a record can have multiple media files.
I appreciate any pointers/explanations here.
Thanks,
To proper answer your question there are few questions need to be answered.
1.What functionality are you going to provide on top of azure media services. From your question it seems that main goal to let users to upload asset and them to have ability to stream uploaded content.
For this purpose you need to have following steps to be implemented in node js.
Create asset and asset files records in Azure Media Service(WAMS) by calling REST API. http://msdn.microsoft.com/en-us/library/windowsazure/hh973617.aspx
Create access policy and locator which will give URI of blob storage where file needs to be uploaded. WAMS REST API
Upload file using node.js to blob storage http://www.windowsazure.com/en-us/develop/nodejs/how-to-guides/blob-storage/
Create encoding job which will encode you input into multi bitrate mp4. WAMS REST API
Package your multi bitrate mp4 to smooth or HLS format or utilize dinamic packaging feature in WAMs. http://channel9.msdn.com/Series/Windows-Azure-Media-Services-Tutorials/Introduction-to-dynamic-packaging
Once you ready to stream your content you need to give user client playback url pointing to origin server. In order to do this you have to call WAMS REST API and create origin locator
Assets are exposing ID and AlternativeID properties which you can use to map your metadata about content with WAMS assets and implement any additional Content Management logic.
You need to act as proxy if you have some user based authentication and don't want to have dedicate separate azure media account to one user. WAMS provides basic blocks for asset ingest, encode, package, ondemand delivery and in nearest future for live streaming.
It can be used as foundation for your cms system or you can act SSAS provider by adding additional authentication, authorization layer. Currently you can use third party offerings http://www.ezdrm.com/ for playback DRM protection or your own license server http://msdn.microsoft.com/en-us/library/windowsazure/dn223278.aspx.
I have a small solution but I think it will require some work from you, maybe you wont like it that much, how about working with Windows Azure Mobile services. it support adding NPM now, the reason that I am telling you to use the Windows Azure Mobile services is that it will help you connect to your clients whatever was the application platform used.
http://weblogs.asp.net/scottgu/archive/2013/06/14/windows-azure-major-updates-for-mobile-backend-development.aspx
to integrate between the .Net and Node Js you can start by using Edge JS or signalR I think.
http://www.infoq.com/articles/the_edge_of_net_and_node
http://www.asp.net/signalr
I just want to suggest an idea that might be helpful to work around the lack of support of Media services in Node Js is that you use Blob storage for streaming. after all the Media Services is based on the Blob storage I think. here is a link that will guide you with the usage of the blob storage.
http://www.windowsazure.com/en-us/develop/nodejs/how-to-guides/blob-storage/
here is also a question posted before about how to stream from blob storage using Node JS I hope you find it beneficial.
How to stream a Windows Azure Blob to the client using Node.js?
Getting contents of a streaming Blob to be sent to a Node.js Server
here is also another link that will help you to do so "Geo-Protection for Video Blobs Using a Node.js Media Proxy"
http://msdn.microsoft.com/en-us/magazine/dn198240.aspx
Just wanted to make sure that you got the Windows Azure Node Js SDK, you might find some solutions that can help you with the development of you application.
https://github.com/WindowsAzure/azure-sdk-for-node
I hope my answer helps you let me know if you need anything else.
I have more recent Typescript based samples now for AMS v3 API using our latest javascript Node.js SDK here
https://github.com/Azure-Samples/media-services-v3-node-tutorials