aws-iot-dragonconnect-c

Arrow DragonConnect

Overview

The DragonConnect example uses several Amazon services including the API Gateway, Lambda, IoT, and CloudWatch. Amazon controls access to these services using Identity and Access Management (IAM). This step will configure IAM to allow the proper access and will also configure elements of IoT. The steps below will get you started and if you are curious about what the administration utility does then consider reading the Details.

Create IAM and IoT Elements

The DragonConnect example includes several utility functions to help manage resources. The following steps will configure the required roles and policies

$ cd admin
$ npm install ../config
$ npm install
$ node lib/foundation.js create

Remove IAM and IoT Elements

The DragonConnect configuration may be removed by issuing the following scommands

$ cd admin
$ node lib/foundation.js delete

Details

The foundation.js script performs the following functions by Amazon service

  • IAM
    • Create roles that permit the required actions for the API Gateway, Lambda, and IoT services
  • IoT
    • Configures the logging options used for debugging purposes
    • Creates policies that allow clients to perform the required operations on MQTT topics
    • Creates a topic rule

The configuration performed by the foundation.js script will be examined. While the foundation.js script configures several Amazon services, further configuration is required and will be performed by additional DragonConnect utilities.

The IAM service provides a fine-grain permission model to control access to all of the Amazon services. For more information about IAM, please consult the AWS Identity and Access Management User Guide.

API Gateway IAM Role

The DragonConnect-ApiGateway role includes a trust relationship for apigateway.amazonaws.com. This permits the API Gateway to perform the actions defined by the managed and inline policies.

  • Managed Policies

    The AWSLambdaRole policy allow's Lambda functions to be invoked.

  • Inline Policies

    The IAMPassRolePolicy passes the IAM role to the Lambda function. For more information, see the section entitled Granting Permissions using the Execution Role describing the Lambda Permission Model.

IoT IAM Role

The DragonConnect-IoT role includes a trust relationship for iot.amazonaws.com. This permits the IoT service to perform actions defined in the associated managed policies of

  • Managed Policies

    The AWSIoTLogging policy allows the management of CloudWatch logs and streams.

Lambda IAM Role

The DragonConnect-Lambda role includes a trust relationship for lambda.amazonaws.com. This permits the Lambda service to perform the actions defined in the associated policies of

  • Managed Policies

    The AWSLambdaBasicExecutionRole policy allows CloudWatch logs and streams to be created.

  • Inline Policies

    The DynamodbPolicy permits a Lambda function to put an item (create a record) and query a table.

    The IotPolicy permits a Lambda function to describe the Amazon-configured MQTT endpoint, retrieve a list of things, and retrieve and update a thing shadow.

IoT Logging

In addition to allowing the role to manage CloudWatch logs and streams as a part of the DragonConnect-IoT role, IoT logging must be enabled. This performs the equivalent of

$ aws iot set-logging-options --logging-options-payload \
roleArn="arn:aws:iam::012345678901:role/DragonConnect-IoT-59f4",logLevel="DEBUG"

IoT Policy

The DragonConnect IoT policy defines the actions that are allowed on the IoT MQTT topics

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:012345678901:topic/things/*/audio/events"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:012345678901:topic/$aws/things/*/shadow/update"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:012345678901:topicfilter/$aws/things/*/shadow/update/delta"
      ]
    }
  ]
}

This policy allows connections to be established, events to be published to a custom MQTT topic in things/+/audio/events and to the Device Shadow topic of $aws/things/+/shadow/update, and clients to subscribe to the $aws/things/+/shadow/update/delta topic.

IoT Topic Rules

A single topic rule is required for the DragonConnect example. The topic rule configures the DragonConnect-audioEvents Lambda function to be invoked when a message is received on the things/+/audio/events MQTT topic

{
    "rule": {
        "sql": "SELECT 'create' as action, topic(2) as message.thingId, * as message.event FROM 'things/+/audio/events'",
        "ruleDisabled": false,
        "actions": [
            {
                "lambda": {
                    "functionArn": "arn:aws:lambda:us-east-1:012345678901:function:DragonConnect-audioEvents"
                }
            }
        ],
        "ruleName": "DragonConnectAudioEvents"
    }
}

DynamoDB Tables

The DragonConnect-audioEvents DynamoDB table stores audio events collected by the client application and published to the things/+/audio/events MQTT topic. This step creates the table using thingId (string) as the partition key and timestamp (number) as the sort key.

Home