I am following this tutorial for connecting Raspberry Pi to AWS IoT using Node.js SDK. I see the following in vim ~/.aws/credentials
[default]
aws_access_key_id = SOMETHING
aws_secret_access_key = SOMETHINGELSE
When I enter the command aws iot describe-endpoint I get the following response:
{
"endpointAddress": "A34SXNTM6AT7XH.iot.us-west-2.amazonaws.com"
}
However when I browse to that URL: https://a34sxntm6at7xh.iot.us-west-2.amazonaws.com/
I get the following error:
Missing Authentication Token
Any idea what could be wrong and how could it be solved?
Here's the files in the ~/certs folder:
pi#raspberrypi:~/certs $ ls
certificate.pem.crt private.pem.key public.pem.key root-CA.pem
Mona,
Your custom endpoint responds to two protocols: MQTT and HTTPS. However, it does not serve any web content and thus does not work in the browser as a site URL. The "endpointAddress" you get from aws iot describe-endpoint will be plugged into your Node.js Device SDK that you're using in the Raspberry Pi example you linked (no https://).
You can also interface with device shadows using the HTTPS version of the endpoint by signing requests with AWS Signature version 4. More on that here: http://docs.aws.amazon.com/iot/latest/developerguide/thing-shadow-rest-api.html and here: http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html though you will likely get going faster by using the AWS CLI or AWS SDK to perform operations like this.
Ryan # AWS
By default, the example programs will look in the current directory for your certificate and private key files, but you can also use the '-f' option to specify another directory if you want to. As for the 'Missing Authentication Token' message you noticed when trying to access the endpoint from your browser, you can safely ignore it.
If you use "TLS mutual authentication" you need to connect on port 8443, so in your example, it would be https://a34sxntm6at7xh.iot.us-west-2.amazonaws.com:8443/things/<thing_name>/shadow
Related
I'd like to be able to pull an IoT Edge device's module twin via an HTTPS GET request just like the Azure Portal does. In the portal, I see this firing...
https://my-hub.azure-devices.net/twins/my-device/modules/my-module?api-version=2020-09-30&_=164130947416
...and returning JSON. I'd like to do the same outside of the portal (like in Postman or something).
Obviously, by being logged in to the portal, I have credentials that permit that.
I've tried creating a Shared Access Signature and using it as a header like so...
"Authorization": "SharedAccessSignature sr=my-hub.azure-devices.net&sig=...
...but I get back ErrorCode:IotHubUnauthorizedAccess;Unauthorized
Am I missing something? Maybe a step where I use that SAS to get some additional credential or something?
Or maybe I can't create a SAS that works with any device-id?
In the end, I'd just like to be able to GET the reported properties for a module twin from any of my IoT Hub devices. No setting, no subscribing.
The API you're referring to is documented here. You're doing the right thing, but perhaps your method of creating a Shared Access Signature isn't working. One easy way to create a valid SAS token is by using the az cli command: az iot hub generate-sas-token -n <iot-hub-name>. By default it will create a token for the iothubowner policy, which should give you access to the module twin.
I used Postman, with the Authorization header as you mentioned to check the twin of my device $edgeHub module:
https://<my-iot-hub>.azure-devices.net/twins/<device-id>/modules/$edgeHub?api-version=2020-05-31-preview
I am using google-cloud-cpp (C++ API for Google Cloud Platform functions) to create/read/write to buckets. When I am working from within the organization's firewall, I have to use a proxy to be able to connect to google cloud.
I see that we can configure a proxy using the gcloud command line:
gcloud config set proxy/type http
gcloud config set proxy/address x.x.x.x
gcloud config set proxy/port
Can I do something similar when I use google-cloud-cpp?
If we look at the source code of the google-cloud-cpp library as found on GitHub, we seem to see that it is based on libcurl.
See:
https://github.com/googleapis/google-cloud-cpp/blob/master/google/cloud/storage/internal/curl_handle.cc
Following on from the comments by #Travis Webb, we then look at the docs for libcurl and find:
https://curl.haxx.se/libcurl/c/CURLOPT_PROXY.html
This documents API that can be used to set proxy settings for programs that use libcurl. However, if we read deeper, we find a section on environment variables that declares that http_proxy and https_proxy can be set.
Trying to make use of the Server to Server OAuth flow defined here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
Since I'm running from a local dev environment, I've created a service account in GCP and downloaded the JSON file with the private key, but cannot find any Node.js code examples on how to:
1) load the json file
2) set delegated credentials (for G Suite domain-wide authorization)
Places I've looked (besides stackoverflow) are Google's git wiki for the node.js client library, which does talk about server to server auth, but seems to assume you're running from appengine or google cloud and don't need to load a key file:
https://github.com/googleapis/google-api-nodejs-client#service-to-service-authentication
The Admin SDK Activities Reports API has a Node example, but it's using the web-based flow assuming a user is present:
https://developers.google.com/admin-sdk/reports/v1/quickstart/nodejs
Buried deep in the Node.js samples is use of the Directory API, which does seem to take a keyfile as input, but when I try running locally it says getClient is not a constructor, and still this example doesn't show how to set the G Suite admin user for context (which is generally when a refresh token and access token are loaded into the app):
https://github.com/googleapis/google-api-nodejs-client/blob/master/samples/directory_v1/group-delete.js
So... does anybody have an example of this? I really don't want to switch to a Python runtime but Google seems to have left out important examples on this topic.
i fallowed this tutorial
https://github.com/ARM-software/Cloud-IoT-Core-Kit-Examples/blob/master/readme.md
to connect my Pi to google cloud iot core, but when i tried to add repository with this command
sudo gcloud components repositories add https://storage.googleapis.com/cloud-iot-gcloud/components-2.json
i got this massage : ERROR: (gcloud.components.repositories.add) Account [tiosahelal#gmail.com] does not have permission to install this component.
but when i skipped that part of the tutorial, i can make new devices in google cloud iot, but when i test it with this tutorial https://github.com/ARM-software/Cloud-IoT-Core-Kit-Examples/tree/master/CPUTemp
i got :
('on_connect', '5: The connection was refused.')
('on_disconnect', '5: The connection was refused.')
You no longer should need to use alpha components with Google Cloud IoT Core because the components appear in Beta.
For example:
gcloud beta iot registries list --region=us-central1
For the connection refused issue, make sure to double check all of the MQTT settings:
username is ignored
mqtt.googleapis.com is the host, port 8883 or 443 (maybe try 443?)
Client ID is: projects/{project-id}/locations/{cloud-region}/registries/{registry-id}/devices/{device-id}
If any of the configurations is incorrect, you will be unable to connect. Also, make sure that your device certificate, used when you added your device to your device registry, has not expired.
When executin the follow command:
gsutil notifyconfig watchbucket -i myapp-channel -t myapp-token https://myapp.appspot.com/gcsnotify gs://mybucket
I receive the follow answer, but I used the same command before in another buckets and it worked:
Watching bucket gs://mybucket/ with application URL https://myapp.appspot.com/gcsnotify...
Failure: <HttpError 401 when requesting https://www.googleapis.com/storage/v1beta2/b/mybucket/o/watch?alt=json returned "Unauthorized WebHook callback channel: https://myapp.appspot.com/gcsnotify">.
I used gsutil config to set permissions and tried with gsutil config -e also.
I already tried to set the permissions, made myself owner of the project, but is not working, any help?
I was getting the same error. You must configure gsutil to use a service account before you can watch a bucket.
An additional security requirement was recently added for Object Change Notification. You must add your endpoint domain as a trusted domain on your cloud project. To do that, the domain first has to be whitelisted with the Google Webmaster Tools.
See instructions here:
https://developers.google.com/storage/docs/object-change-notification#_Authorization
I also determined that I needed to:
Whitelist my appspot domain
Create a service account before I can watch a bucket.
At first I was using the google cloud shell and I figured it should just be authenticated. gsutil ls listed the objects in my bucket so I assumed I was authenticated. However that is not the case.
You need to instal gsutil or google cloud sdk, log in, get the .p12 file from the service account, and auth it as Wind Up Toy described. After that it will work.