Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.
Related
In the reference architectures for IOT Hub\Central you can easily see how the SAS or X509 Cert is used for device authentication. As an example, look at this MXChip OTA Example. (my notes in pink)
Reference Article: Azure MXChip IoT DevKit Firmware OTA (Over-the-Air)
When we extend out to other Azure Services, can you leverage this authentication for other actions such as downloading files for OTA.
The only approach I can come up with is either:
a) have the download endpoint be secure through obscurity (not great).
b) introduce a shim service and implement an additional authentication layer there.
A seems bad. B seems like a waste. I feel like I'm missing and option C or lack the right info on the Azure-way for this one.
Thanks!
The following are steps for a device download file from the Azure Storage blob container using the IoT Central App:
Configure your IoT Central App for Device file upload.
Upload to the configured storage blob container requested blob for its downloading by device (in my example: container=iotc, deviceId=device123, blobname=test.json)
Generate a device connection string, hostname and sasToken for your IoT Central App, see more implementation details here.
Based on the response from the step 3. use the REST POST request to the underlaying IoT Hub of your IoT Central App for a specific blob references, such as:
{
"correlationId":"****",
"hostName":"****.blob.core.windows.net",
"containerName":"iotc",
"blobName":"device123/test.json",
"sasToken":"?sv=2018-03-28&sr=b&sig=****&se=2021-01-20T10%3A26%3A59Z&sp=rw"
}
Based on the response from the step 4., download the blob using the REST GET request, see the following example:
https://****.blob.core.windows.net/iotc/device123/test.json?sv=2018-03-28&sr=b&sig=****&se=2021-01-20T10%3A26%3A59Z&sp=rw
Notify underlaying IoT Hub of your IoT Central App that the device ended the download process, see the REST POST request. Note, that the correlationId you will received in the step 4.
With regard to my original question about using the authenticated device session to access other Azure services, both in general and specifically for the purpose of downloading files for OTA. This is not possible.
You either need to implement an additional authentication mechanism and your own service, use the service specific SDK in your application or for the case of Blob Storage with firmware updates, use a publicly available download point.
Note: The answer from Roman shows how to upload and access an uploaded file. It may help some who will end up here.
I want to implement the following system.
There are users and each user will have an IoT device. The user should be able to do the following:
Login with their email and password.
Control the IoT device in real time (the user will perform some operation on the IoT device and the result will be displayed instantly on the app).
See the state of IoT device in real time. If something changes on the IoT device it should reflect on the app in real time.
I was wondering if this is doable using azure IoT Hub. I came across an architecture where the device is connected to IoT hub and the app is connected to signalR. The messages from IoT device will go to IoT Hub which will update the app using signalR.
But is there any way we can not have additional component like signalR? Can IoT device and mobile app be connected directly to azure IoT hub and exchange data between them without an entity in between other than IoT hub?
Connecting mobile app to IoT hub seems like an option but I did not find any way to implement email and password based authentication to allow users to connect to IoT hub.
Any help in this regard is appreciated.
You could absolutely go without SignalR. You can use the IoT Hub Service SDK to send C2D messages to your device from your phone, and also listen to the device telemetry with the same SDK.
However, it would probably be a better idea to have some restrictions on what you can do with that SDK. If the user first has to log in, I take it that they don't get access to every device in your application? Using some kind of role-based access might be preferable, you would build an API for that, which then uses the Service SDK to give you the data.
Also, even though you could listen to the device data directly from your phone, that means that if you have bad reception/wifi, data might not be received. You might want to consider storing it somewhere? I don't know the details about your application, but if you would then want to listen to events from that storage and send it to your app... SignalR might not be the worst idea.
"See the state of IoT device in real time. If something changes on the IoT device it should reflect on the app in real time."
For this EventGrid integration (https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-event-grid ) would help. For realtime telemetry as Matthijs said SignalR would be a better choice.If you are fine with some delay (say 10 sec) then Azure Time Series Insights can also be used.
How can an IoT device which connects to an IoT Hub using the Azure IoT Hub SDK retrieve larger amounts of sensitive data which is part of the device configuration?
I know i can use Device Twins as configuration documents per Device, but those are limited to 8K in total.
I need larger amounts of data in binary format to be transfered to the device when i a device - for example - gets reset to factory defaults or somehow loses it's local storage as part of a hardware fault.
I was thinking about using a D2C method triggering a request which results in a series of C2D or direct method calls to the requesting device transmitting the information in question (basically mimiking request/response behavior). However this feels like a workaround.
My other thought was about transmitting urls to a storage account as part of the device twin properties allowing the device to download the binary information using the Storage SDK, however given the sensitive nature of the information downloaded i can't directly expose this information to the internet using a public accessible container in Azure Storage.
So my last thought was to access a REST API which controls access to the information. However my concern is, that i break out of the secure communication channel, the IoT Hub SDK provides with it's build in communication methods and i have to secure the communication between device and the REST API using some kind of rotating secret anyway which could expose other risks along with a complicated custom implementation.
What is the suggested way of providing access to this kind of device-specific data for Azure IoT Clients?
I do recommend to use a new feature (still in the preview) of the Azure IoT Hub such as a Device Streams.
You can test this new preview feature using my updated tool Azure IoT Hub Tester (see Appendix A2)
So, I am working on an IoT solution on Azure, we have been using a partner solution where we had the partner's devices linked to his cloud solution that exposes the data to us Via REST services. Right now we want to have our own IoT Cloud Solution on Azure.
At first, I am planning to build a Bridge between our IoT Solution and the partner's cloud solution via its REST Services that will link to our IoT Hub in order to ingest the data to our cloud.
Also, the data will not be only telemetry data but we'll have to send commands as well to those devices.
My question: I would like to know what would be the appropriate technology/solution to use a gateway (Data Grid, Azure Function, Azure WebJob)
The numbers in the picture represent the step that I am considering to tackle this problem.
1- First we are implementing an Application gateway that will have to get the data from the partner's system and sending commands to their system. It will allow us to first build the other components of our system and make sure that it can handle what is in place right now.
2- Second, the partner's devices will connect directly to a device gateway that is connected to our IoT Hub. In this case, we will not be using the gateway made in 1 anymore.
3- Finally, we will have our own devices connected to our IoT Hub, the partner's devices will always be connected to our IoT Hub via the gateway built in 2.
Let me try to answer your questions in the order you have asked.
For application gateway, where you are trying to pull data through
REST, you can use Azure functions and then you use Cosmos DB or any
storage to save data. I see , after getting device data from Partner
network, you are routing it to IoT-Hub (I would not say, its
incorrect), however once we pull data through Rest, we can directly
put into DB. So my Answer is to use Azure functions to pull data
from Partner solutions and put into DB.
If partner device is capable of running Azure IoT sdks or can be
provisioned to send data to IoT Hub directly, this will ease lot of
things and you would be able to send D2C and C2D messages easily.
further, here you can route data to DB by using configuration from
IoT Hub.
For your devices you can use IoT Hub Directly or can use Azure
IoT Edge (device gateway as you pointed ), both are fine , depends
on use case and also if we want to do some edge computation or
analytics at device side. And one important suggestions, use Azure
functions where ever you find that you have to integrate devices
data through Rest. Most cost effective in such scenarios.
Let me know if it clears your doubts.
After some time working on the subject, I did implement an AZURE Function app for the following reasons :
Supports Continuous Deployment and Integration Even though Azure Functions is serverless architecture, it still supports Continuous Deployment and Continuous Integration
Capabilities for implementing code - Being event-driven, the application platform has capabilities to implement code triggered by events occurring in any third-party service or on-premise system.
Compute-on-demand: This delivery model ensures that computing resources are available to the users as per their demand.
I have also used Azure Table Storage as database storage technology.
I am currently thinking about a solution where an IoT device would have more than one possible endpoint to talk to. Like an API for some calls that do not concern telemetry or device twin data.
The connection to the IoT Hub can be secured very well (we will use certificates), and I want to awoid adding a different way of authentication to the architecture.
So my idea right now would be to have a back-end service generate device specific SAS tokens for my APIs, possibly on-demand if requested by the device.
The Cloud-to-device communications guidance mentions configuration data, so it feels like a good way to go. Would it be safe to write these tokens in the desired properties? Would it be safer to use the payload of a cloud-to-device-message? Or should it be done completely differently?
You can create a custom cloud service as a token service that uses an IoT Hub shared access policy with DeviceConnect permissions to create device-scoped tokens.
For more detailed information you can reference "Custom device authentication".