Authenticate vehicles Authorize vehicles

Provision vehicles

The Edge Agent for AWS IoT FleetWise software running in your vehicle collects and transfers data to the cloud. AWS IoT FleetWise integrates with AWS IoT Core to support secure communication between the Edge Agent software and the cloud through MQTT. Each vehicle corresponds to an AWS IoT thing. You can use an existing AWS IoT thing to create a vehicle or set AWS IoT FleetWise to automatically create an AWS IoT thing for your vehicle. For more information, see Create a vehicle (AWS CLI).

The following topics are reserved for use by AWS IoT FleetWise. You can subscribe and publish to reserved topics as they allow. However, you can't create new topics that begin with a dollar sign ($). Unsupported publish or subscribe operations to reserved topics can result in the connection ending.

Topic	Client operation allowed	Description
`$aws/iotfleetwise/vehicles/vehicleName/checkins`	Publish	The Edge Agent software publishes vehicle status information to this topic.
`$aws/iotfleetwise/vehicles/vehicleName/signals`	Publish	The Edge Agent software publishes signals to this topic.
`$aws/iotfleetwise/vehicles/vehicleName/collection_schemes`	Subscribe	AWS IoT FleetWise publishes data collection schemes to this topic. Vehicles consume these data collection schemes.
`$aws/iotfleetwise/vehicles/vehicleName/decoder_manifests`	Subscribe	AWS IoT FleetWise publishes decoder manifests to this topic. Vehicles consume these decoder manifests.

AWS IoT Core supports authentication and authorization that help securely control access to AWS IoT FleetWise resources. Vehicles can use X.509 certificates to get authenticated (signed in) to use AWS IoT FleetWise and AWS IoT Core polices to get authorized (have permissions) to perform specified actions.

Authenticate vehicles

You can create AWS IoT Core policies to authenticate your vehicles.

To authenticate your vehicle

To create an AWS IoT Core policy, run the following command.

Replace policy-name with the name of the policy that you want to create.
Replace file-name with the name of the JSON file that contains the AWS IoT Core policy.


aws iot create-policy --policy-name policy-name --policy-document file://file-name.json

Before you use the example policy, do the following:

Replace region with the AWS Region where you created AWS IoT FleetWise resources.
Replace awsAccount with your AWS account ID.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:region:awsAccount:client/${iot:Connection.Thing.ThingName}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws:iot:region:awsAccount:topic/$aws/iotfleetwise/vehicles/${iot:Connection.Thing.ThingName}/checkins",
                "arn:aws:iot:region:awsAccount:topic/$aws/iotfleetwise/vehicles/${iot:Connection.Thing.ThingName}/signals"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Subscribe"
            ],
            "Resource": [
                "arn:aws:iot:region:awsAccount:topicfilter/$aws/iotfleetwise/vehicles/${iot:Connection.Thing.ThingName}/collection_schemes",
                "arn:aws:iot:region:awsAccount:topicfilter/$aws/iotfleetwise/vehicles/${iot:Connection.Thing.ThingName}/decoder_manifests"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Receive"
            ],
            "Resource": [
                "arn:aws:iot:region:awsAccount:topic/$aws/iotfleetwise/vehicles/${iot:Connection.Thing.ThingName}/collection_schemes",
                "arn:aws:iot:region:awsAccount:topic/$aws/iotfleetwise/vehicles/${iot:Connection.Thing.ThingName}/decoder_manifests"
            ]
        }
    ]
}

Authorize vehicles

You can create X.509 certificates to authorize your vehicles.

To authorize your vehicle

Important

We recommend that you create a new certificate for each vehicle.

To create an RSA key pair and issue an X.509 certificate, run the following command.
- Replace cert with the name of the file that saves the command output contents of certificatePem.
- Replace public-key with the name of the file that saves the command output contents of keyPair.PublicKey.
- Replace private-key with the name of the file that saves the command output contents of keyPair.PrivateKey.
```
aws iot create-keys-and-certificate \
    --set-as-active \
    --certificate-pem-outfile cert.pem \
    --public-key-outfile public-key.key" \
    --private-key-outfile  private-key.key"
```
Copy the Amazon Resource Name (ARN) of the certificate from the output.
To attach the policy to the certificate, run the following command.
- Replace policy-name with the name of the AWS IoT Core policy that you created.
- Replace certificate-arn with the ARN of the certificate that you copied.
```
aws iot attach-policy \
    --policy-name policy-name\
    --target "certificate-arn"
```
To attach the certificate to the thing, run the following command.
- Replace thing-name with the name of your AWS IoT thing or the ID of your vehicle.
- Replace certificate-arn with the ARN of the certificate that you copied.
```
aws iot attach-thing-principal \
    --thing-name thing-name \
    --principal "certificate-arn"
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Vehicles

Create a vehicle