jjeong

https://mosquitto.org/
https://ko.wikipedia.org/wiki/CoAP
https://ko.wikipedia.org/wiki/MQTT

Message Broker 로 Mosquitto 를 사용 하면 되고, 아니면 Pub/Sub 기반 통신을 지원 하는 Kafka 를 사용 해도 되고...

CoAP 은 저전력 디바이스에서 사용하기 위해서 그냥 일반 HTTP 기반으로 통신 하면 되고...

굳이 잘 만들어서 제공 하고 있는 엔진들 많으니까 운영할 인력이 없다면 MSP 사업자들이 제공하는 서비스를 사용해도 됩니다.

잘 사용 하면 비용 많이 안나옵니다.

알아 보기라고 하기에는 그냥 약간의 예제와 학습 해야 하는 문서 링크 입니다.

https://jmespath.org/specification.html#filter-expressions

$ aws iot list-thing-types --query 'thingTypes[].[thingTypeName, thingTypeName==`1584075120782`]'
$ aws iot list-thing-types --query "thingTypes[].[thingTypeName, starts_with(thingTypeName, '15840')]"

JMES 가 이거 만든 사람 이름의 약어 인것 같은데, 맞는지 모르겠네요.

© Copyright 2014-2015, James Saryerwinnie.

그리고 이 분 AWS 직원인 것 같습니다. :)

개발 진행을 하다 보면 대 부분 레퍼런스 문서와 API 문서를 안 볼 수가 없습니다.

더군다나 제공 하는 모든 API 를 다 기억 할 수도 없구요.

그래서 그냥 한 눈에 보기 편하게 모아 두었습니다.

[aws iot cli command]

https://docs.aws.amazon.com/cli/latest/reference/iot/index.html

accept-certificate-transfer              | add-thing-to-billing-group
add-thing-to-thing-group                 | associate-targets-with-job
attach-policy                            | attach-principal-policy
attach-security-profile                  | attach-thing-principal
cancel-audit-mitigation-actions-task     | cancel-audit-task
cancel-certificate-transfer              | cancel-job
cancel-job-execution                     | clear-default-authorizer
confirm-topic-rule-destination           | create-authorizer
create-billing-group                     | create-certificate-from-csr
create-domain-configuration              | create-dynamic-thing-group
create-job                               | create-keys-and-certificate
create-mitigation-action                 | create-ota-update
create-policy                            | create-policy-version
create-provisioning-claim                | create-provisioning-template
create-provisioning-template-version     | create-role-alias
create-scheduled-audit                   | create-security-profile
create-stream                            | create-thing
create-thing-group                       | create-thing-type
create-topic-rule                        | create-topic-rule-destination
delete-account-audit-configuration       | delete-authorizer
delete-billing-group                     | delete-ca-certificate
delete-certificate                       | delete-domain-configuration
delete-dynamic-thing-group               | delete-job
delete-job-execution                     | delete-mitigation-action
delete-ota-update                        | delete-policy
delete-policy-version                    | delete-provisioning-template
delete-provisioning-template-version     | delete-registration-code
delete-role-alias                        | delete-scheduled-audit
delete-security-profile                  | delete-stream
delete-thing                             | delete-thing-group
delete-thing-type                        | delete-topic-rule
delete-topic-rule-destination            | delete-v2-logging-level
deprecate-thing-type                     | describe-account-audit-configuration
describe-audit-finding                   | describe-audit-mitigation-actions-task
describe-audit-task                      | describe-authorizer
describe-billing-group                   | describe-ca-certificate
describe-certificate                     | describe-default-authorizer
describe-domain-configuration            | describe-endpoint
describe-event-configurations            | describe-index
describe-job                             | describe-job-execution
describe-mitigation-action               | describe-provisioning-template
describe-provisioning-template-version   | describe-role-alias
describe-scheduled-audit                 | describe-security-profile
describe-stream                          | describe-thing
describe-thing-group                     | describe-thing-registration-task
describe-thing-type                      | detach-policy
detach-principal-policy                  | detach-security-profile
detach-thing-principal                   | disable-topic-rule
enable-topic-rule                        | get-cardinality
get-effective-policies                   | get-indexing-configuration
get-job-document                         | get-logging-options
get-ota-update                           | get-percentiles
get-policy                               | get-policy-version
get-registration-code                    | get-statistics
get-topic-rule                           | get-topic-rule-destination
get-v2-logging-options                   | list-active-violations
list-attached-policies                   | list-audit-findings
list-audit-mitigation-actions-executions | list-audit-mitigation-actions-tasks
list-audit-tasks                         | list-authorizers
list-billing-groups                      | list-ca-certificates
list-certificates                        | list-certificates-by-ca
list-domain-configurations               | list-indices
list-job-executions-for-job              | list-job-executions-for-thing
list-jobs                                | list-mitigation-actions
list-ota-updates                         | list-outgoing-certificates
list-policies                            | list-policy-principals
list-policy-versions                     | list-principal-policies
list-principal-things                    | list-provisioning-template-versions
list-provisioning-templates              | list-role-aliases
list-scheduled-audits                    | list-security-profiles
list-security-profiles-for-target        | list-streams
list-tags-for-resource                   | list-targets-for-policy
list-targets-for-security-profile        | list-thing-groups
list-thing-groups-for-thing              | list-thing-principals
list-thing-registration-task-reports     | list-thing-registration-tasks
list-thing-types                         | list-things
list-things-in-billing-group             | list-things-in-thing-group
list-topic-rule-destinations             | list-topic-rules
list-v2-logging-levels                   | list-violation-events
register-ca-certificate                  | register-certificate
register-thing                           | reject-certificate-transfer
remove-thing-from-billing-group          | remove-thing-from-thing-group
replace-topic-rule                       | search-index
set-default-authorizer                   | set-default-policy-version
set-logging-options                      | set-v2-logging-level
set-v2-logging-options                   | start-audit-mitigation-actions-task
start-on-demand-audit-task               | start-thing-registration-task
stop-thing-registration-task             | tag-resource
test-authorization                       | test-invoke-authorizer
transfer-certificate                     | untag-resource
update-account-audit-configuration       | update-authorizer
update-billing-group                     | update-ca-certificate
update-certificate                       | update-domain-configuration
update-dynamic-thing-group               | update-event-configurations
update-indexing-configuration            | update-job
update-mitigation-action                 | update-provisioning-template
update-role-alias                        | update-scheduled-audit
update-security-profile                  | update-stream
update-thing                             | update-thing-group
update-thing-groups-for-thing            | update-topic-rule-destination
validate-security-profile-behaviors      | help

[aws iot-data cli command]

https://docs.aws.amazon.com/cli/latest/reference/iot-data/index.html

delete-thing-shadow                      | get-thing-shadow
publish                                  | update-thing-shadow
help

[aws iot-jobs-data cli command]

https://docs.aws.amazon.com/cli/latest/reference/iot-jobs-data/index.html

describe-job-execution                   | get-pending-job-executions
start-next-pending-job-execution         | update-job-execution

[aws iot1click-devices cli command]

https://docs.aws.amazon.com/cli/latest/reference/iot1click-devices/index.html

claim-devices-by-claim-code              | describe-device
finalize-device-claim                    | get-device-methods
initiate-device-claim                    | invoke-device-method
list-device-events                       | list-devices
list-tags-for-resource                   | tag-resource
unclaim-device                           | untag-resource
update-device-state                      | help

[aws iot1click-projects cli command]

https://docs.aws.amazon.com/cli/latest/reference/iot1click-projects/index.html

associate-device-with-placement          | create-placement
create-project                           | delete-placement
delete-project                           | describe-placement
describe-project                         | disassociate-device-from-placement
get-devices-in-placement                 | list-placements
list-projects                            | list-tags-for-resource
tag-resource                             | untag-resource
update-placement                         | update-project
help

[aws iotanalytics cli command]

https://docs.aws.amazon.com/cli/latest/reference/iotanalytics/index.html

batch-put-message                        | cancel-pipeline-reprocessing
create-channel                           | create-dataset
create-dataset-content                   | create-datastore
create-pipeline                          | delete-channel
delete-dataset                           | delete-dataset-content
delete-datastore                         | delete-pipeline
describe-channel                         | describe-dataset
describe-datastore                       | describe-logging-options
describe-pipeline                        | get-dataset-content
list-channels                            | list-dataset-contents
list-datasets                            | list-datastores
list-pipelines                           | list-tags-for-resource
put-logging-options                      | run-pipeline-activity
sample-channel-data                      | start-pipeline-reprocessing
tag-resource                             | untag-resource
update-channel                           | update-dataset
update-datastore                         | update-pipeline
help

[aws iotevents cli command]

https://docs.aws.amazon.com/cli/latest/reference/iotevents/index.html

create-detector-model                    | create-input
delete-detector-model                    | delete-input
describe-detector-model                  | describe-input
describe-logging-options                 | list-detector-model-versions
list-detector-models                     | list-inputs
list-tags-for-resource                   | put-logging-options
tag-resource                             | untag-resource
update-detector-model                    | update-input
help

[aws iotevents-data cli command]

https://docs.aws.amazon.com/cli/latest/reference/iotevents-data/index.html

batch-put-message                        | batch-update-detector
describe-detector                        | list-detectors
help

[aws iotsecuretunneling cli command]

https://docs.aws.amazon.com/cli/latest/reference/iotsecuretunneling/index.html

close-tunnel                             | describe-tunnel
list-tags-for-resource                   | list-tunnels
open-tunnel                              | tag-resource
untag-resource                           | help

[aws iotthingsgraph cli command]

https://docs.aws.amazon.com/cli/latest/reference/iotthingsgraph/index.html

associate-entity-to-thing                | create-flow-template
create-system-instance                   | create-system-template
delete-flow-template                     | delete-namespace
delete-system-instance                   | delete-system-template
deploy-system-instance                   | deprecate-flow-template
deprecate-system-template                | describe-namespace
dissociate-entity-from-thing             | get-entities
get-flow-template                        | get-flow-template-revisions
get-namespace-deletion-status            | get-system-instance
get-system-template                      | get-system-template-revisions
get-upload-status                        | list-flow-execution-messages
list-tags-for-resource                   | search-entities
search-flow-executions                   | search-flow-templates
search-system-instances                  | search-system-templates
search-things                            | tag-resource
undeploy-system-instance                 | untag-resource
update-flow-template                     | update-system-template
upload-entity-definitions                | help

항상 그렇지만 에러 메시지를 보면 답이 다 나와 있습니다.

"iam:PassRole" 에 대한 권한이 없다는 것입니다.

근데 충분한 권한을 줬다고 생각 했어도 왜 저런 에러가 나는 거지 하고 의심이 될 때가 있습니다.

원인도 찾았고 해결책도 찾았지만 AWS 뿐만 아니라 Cloud 서비스를 잘 사용하기 위해서는 보안과 권한에 대해서 정말 자세히 알고 고민을 하지 않으면 안될 것 같다는 확신이 또 들었습니다.

근데 생각 보다 IAM 관련해서 서비스 유형에 따른 템플릿 같은게 많이 없는 것 같아 좀 아쉽 더군요.

시간 날 때 한번 만들어 봐야 겠습니다.

iam:PassRole을 수행하도록 인증되지 않음

서비스 연결 역할을 생성하는 경우 해당 역할을 서비스에 전달할 권한이 있어야 합니다. 일부 서
비스는 서비스에서 작업을 수행할 때 계정에 서비스 연결 역할을 자동으로 생성합니다. 예를 들어
Amazon EC2 Auto Scaling에서는 사용자가 Auto Scaling 그룹을 처음으로 생성할 때 사용자를 대신해
AWSServiceRoleForAutoScaling 서비스 연결 역할을 생성합니다. PassRole 권한 없이 Auto Scaling
그룹을 생성하려고 하면 다음 오류가 발생합니다.

ClientError: An error occurred (AccessDenied) when calling the
PutLifecycleHook operation: User: arn:aws:sts::111122223333:assumed-role/
Testrole/Diego is not authorized to perform: iam:PassRole on resource:
arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/
AWSServiceRoleForAutoScaling

이 오류를 해결하려면 관리자에게 iam:PassRole 권한을 추가해 달라고 요청합니다.
서비스 연결 역할을 지원하는 서비스를 알아보려면 IAM로 작업하는 AWS 서비스 (p. 571) 단원을 참조하
십시오. 서비스가 자동으로 서비스 연결 역할을 생성하는지 여부를 알아보려면 예 링크를 선택하여 해당 서
비스의 서비스 연결 역할 설명서 단원을 참조하십시오.

저 역시 role 에서 정책을 하나 새로 만들어서 해결 했습니다.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:s3:::test-iot-s3-action"
        }
    ]
}

Action 목록이 궁금 하신 분들은 아래 문서 참고 하세요.

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html

참고 문서)

https://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html

$ openssl genrsa -out rootCA.key 2048
$ openssl req -x509 -new -extensions v3_ca -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Country Name (KR) []:KR
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
$ openssl genrsa -out verificationCert.key 2048
$ aws iot get-registration-code 
{
    "registrationCode": "879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878"
}
$ openssl req -new -key verificationCert.key -out verificationCert.csr
Country Name (KR) []:KR
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$ openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
$ aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem
{
    "certificateArn": "arn:aws:iot:ap-northeast-2:99999999999:cacert/879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878",
    "certificateId": "879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878"
}
 
$ cat /etc/ssl/openssl.cnf
[ req ]
#default_bits = 2048
#default_md = sha256
#default_keyfile  = privkey.pem
distinguished_name = req_distinguished_name
extensions               = v3_ca # 추가 설정
req_extensions           = v3_ca # 추가 설정
attributes = req_attributes

[ v3_ca ]
basicConstraints         = CA:TRUE # 추가 설정

[ req_distinguished_name ]
countryName = Country Name (KR)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

위 테스트는 맥북에서 진행 된 것입니다.

Ubuntu 에서는 별도 설정 변경 없이 잘 되는 것으로 이야기 들었습니다.

저 위에 빨간색 부분이 달라 계속 오류가 발생을 했었습니다.

[에러메시지]

An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid.

The CA certificate does not have the basicConstraints extension as true