Setting up AWS IoT FleetWise - AWS IoT FleetWise
Create an IAM userConfigure settings

Setting up AWS IoT FleetWise

When you sign up for AWS, your AWS account is automatically signed up for all services in AWS, including AWS IoT FleetWise.

To set up AWS IoT FleetWise, use the steps in the following sections.

Create an IAM user

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create an administrative user

After you sign up for an AWS account, create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create an administrative user

  • For your daily administrative tasks, grant administrative access to an administrative user in AWS IAM Identity Center (successor to AWS Single Sign-On).

    For instructions, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

Sign in as the administrative user

  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Configure settings

Before exploring AWS IoT FleetWise, you must configure the service settings. Your Edge Agent software transfers your vehicle data to Amazon Timestream. To enable Amazon Timestream to receive your vehicle data, configure the settings. After the settings are configured, AWS IoT FleetWise automatically registers your AWS account, IAM, and Amazon Timestream resources for access.

You can use the AWS IoT FleetWise console or API to configure the settings.

Prerequisites

To configure the settings, you need the following AWS resources.

Important

  • You must use the same AWS Region when you create Timestream resources for AWS IoT FleetWise. If you switch AWS Regions, you might have issues accessing the Timestream resources.

  • AWS IoT FleetWise is available in US East (N. Virginia) and Europe (Frankfurt).

  • For the list of supported Regions, see Timestream endpoints and quotas in the AWS General Reference.

  • An Amazon Timestream database. For a tutorial, see Create a database in the Amazon Timestream Developer Guide.

  • A table created in the specified Amazon Timestream database. For a tutorial, see Create a table in the Amazon Timestream Developer Guide.

  • An IAM role that allows AWS IoT FleetWise to send data to Amazon Timestream. Make sure that your role has the permissions shown in the following AWS CLI example.

    To create an IAM role with required policies

    1. To create an IAM role, run the following command.

      • Replace AWSIoTFleetwiseServiceRole with the name of the role you're creating.

      • Replace trust-policy with the JSON file that contains the trust policy.

      aws iam create-role --role-name AWSIoTFleetwiseServiceRole --assume-role-policy-document file://trust-policy.json
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "iotfleetwise.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

      Example output

      {
    "Role": {
        "Path": "/",
        "RoleName": "AWSIoTFleetwiseServiceRole",
        "RoleId": "AROA5NYUCQRRSDBVAOP73",
        "Arn": "arn:aws:iam::12345678912:role/AWSIoTFleetwiseServiceRole",
        "CreateDate": "2021-11-22T00:54:33+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "iotfleetwise.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

    2. To create an IAM user policy, run the following command.

      • Replace AWSIoTFleetwiseIAMUserPolicy with the name of the policy you're creating.

      • Replace iam-user-policy with the name of the JSON file that contains the IAM user policy.

      aws iam create-policy --policy-name AWSIoTFleetwiseIAMUserPolicy --policy-document file://iam-user-policy.json
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "timestreamIngestion",
            "Effect": "Allow",
            "Action": [
                "timestream:WriteRecords",
                "timestream:Select"
            ],
            "Resource": "*"
        },
        {
            "Sid": "timestreamDescribeEndpoint",
            "Effect": "Allow",
            "Action": [
                "timestream:DescribeEndpoints"
            ],
            "Resource": "*"
        }
    ]
}

      Example output

      {
    "Policy": {
        "PolicyName": "AWSIoTFleetwiseIAMUserPolicy",
        "PolicyId": "ANPA5NYUCQRRWIIGN2ZPH",
        "Arn": "arn:aws:iam::012345678912:policy/AWSIoTFleetwiseIAMUserPolicy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2021-11-22T01:01:41+00:00",
        "UpdateDate": "2021-11-22T01:01:41+00:00"
    }
}

    3. From the output, copy the Amazon Resource Name (ARN) of the IAM user policy.

    4. To attach the IAM user policy to your IAM role, run the following command.

      • Replace iam-user-policy-arn with the ARN that you copied in the previous step.

      • Replace AWSIoTFleetwiseServiceRole with the name of the IAM role that you created.

      aws iam attach-role-policy --policy-arn iam-user-policy-arn --role-name AWSIoTFleetwiseServiceRole

    5. To create a permissions policy, run the following command.

      • Replace AWSIoTFleetwiseAccessTimestreamPermissionsPolicy with the name of the policy you're creating.

      • Replace permissions-policy with the name of the JSON file that contains the permissions policy.

      aws iam create-policy --policy-name AWSIoTFleetwiseAccessTimestreamPermissionsPolicy --policy-document file://permissions-policy.json
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "timestreamIngestion",
            "Effect": "Allow",
            "Action": [
                "timestream:WriteRecords",
                "timestream:Select"
            ],
            "Resource": "*"
        },
        {
            "Sid": "timestreamDescribeEndpoint",
            "Effect": "Allow",
            "Action": [
                "timestream:DescribeEndpoints"
            ],
            "Resource": "*"
        }
    ]
}

      Example output

      {
    "Policy": {
        "PolicyName": "AWSIoTFleetwiseAccessTimestreamPermissionsPolicy",
        "PolicyId": "ANPA5NYUCQRRUJFQEZCOI",
        "Arn": "arn:aws:iam::012345678912:policy/AWSIoTFleetwiseAccessTimestreamPermissionsPolicy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2021-11-22T01:12:55+00:00",
        "UpdateDate": "2021-11-22T01:12:55+00:00"
    }
}

    6. From the output, copy the ARN of the permissions policy.

    7. To attach the IAM permissions policy to your IAM role, run the following command.

      • Replace permissions-policy-arn with the ARN that you copied in the previous step.

      • Replace AWSIoTFleetwiseServiceRole with the name of the IAM role that you created.

      aws iam attach-role-policy --policy-arn permissions-policy-arn --role-name AWSIoTFleetwiseServiceRole

    For more information, see Access management for AWS resources in the IAM User Guide.

Configure settings (console)

In the AWS console, configure settings to transfer data to Amazon Timestream.

  1. Navigate to the AWS IoT FleetWise console.

  2. In the navigation pane, choose Settings.

  3. On the Onboarding page, do the following:

    • For Timestream database name, enter the name of your Timestream database.

    • For Timestream table name, enter the name of your Timestream table.

  4. Choose Submit.

The AWS IoT FleetWise Settings page that shows how to configure the service settings.

After you update the settings, AWS automatically registers your AWS account, IAM role, and Timestream resources for access. The registration status can be one of the following:

  • REGISTRATION_SUCCESS – The AWS resource is successfully registered.

  • REGISTRATION_PENDING – AWS IoT FleetWise is processing the registration request. This process takes approximately five minutes to complete.

  • REGISTRATION_FAILURE – AWS IoT FleetWise can't register the AWS resource. Try again later.

An example AWS IoT FleetWise Settings page that shows the summary of the service settings.

Configure settings (AWS CLI)

In the AWS CLI, configure settings to transfer data to Amazon Timestream.

  1. To configure the settings, run the following command.

    aws iotfleetwise register-account --cli-input-json file://file-name.json
    Example AWS IoT FleetWise registration configuration

    • Replace role-arn with the IAM role that you created.

    • Replace database-name with the name of your Timestream database.

    • Replace table-name with the name of your Timestream table.

    {
   "iamResources": { 
      "roleArn": "role-arn"
   },
   "timestreamResources": { 
      "timestreamDatabaseName": "database-name",
      "timestreamTableName": "table-name"
   }
}

  2. To verify that your AWS account, IAM, and Amazon Timestream resources are registered, run the following command to retrieve the registration status.

    aws iotfleetwise get-register-account-status
    Example response
    {
    "accountStatus": "REGISTRATION_SUCCESS",
    "creationTime": "2022-07-28T11:31:22.603000-07:00",
    "customerAccountId": "012345678912",
    "iamRegistrationResponse": {
        "errorMessage": "",
        "registrationStatus": "REGISTRATION_SUCCESS",
        "roleArn": "arn:aws:iam::012345678912:role/AWSIoTFleetwiseServiceRole"
    },
    "lastModificationTime": "2022-07-28T11:31:22.854000-07:00",
    "timestreamRegistrationResponse": {
        "errorMessage": "",
        "registrationStatus": "REGISTRATION_SUCCESS",
        "timestreamDatabaseArn": "arn:aws:timestream:us-east-1:012345678912:database/myDatabase",
        "timestreamDatabaseName": "myDatabase",
        "timestreamTableArn": "arn:aws:timestream:us-east-1:012345678912:database/myDatabase/table/myTable",
        "timestreamTableName": "myTable"
    }
}

After you update the settings, AWS automatically registers your AWS account, IAM role, and Timestream resources for access. The registration status can be one of the following:

  • REGISTRATION_SUCCESS – The AWS resource is successfully registered.

  • REGISTRATION_PENDING – AWS IoT FleetWise is processing the registration request. This process takes approximately five minutes to complete.

  • REGISTRATION_FAILURE – AWS IoT FleetWise can't register the AWS resource. Try again later.