Pre-provisioning hooks
AWS recommends using pre-provisioning hook functions when creating provisioning templates to allow more control of which and how many devices your account onboards. Pre-provisioning hooks are Lambda functions that validate parameters passed from the device before allowing the device to be provisioned. This Lambda function must exist in your account before you provision a device because it's called every time a device sends a request through RegisterThing.
Important
Be sure to include the source-arn
or
source-account
in the global condition context keys of
the policies attached to your Lambda action to prevent permission manipulation. For
more information about this, see Cross-service confused deputy
prevention.
For devices to be provisioned, your Lambda function must accept the input object and
return the output object described in this section. The provisioning proceeds only if
the Lambda function returns an object with "allowProvisioning": True
.
Pre-provision hook input
AWS IoT sends this object to the Lambda function when a device registers with AWS IoT.
{ "claimCertificateId" : "
string
", "certificateId" : "string
", "certificatePem" : "string
", "templateArn" : "arn:aws:iot:us-east-1
:1234567890
:provisioningtemplate/MyTemplate
", "clientId" : "221a6d10-9c7f-42f1-9153-e52e6fc869c1
", "parameters" : { "string
" : "string
", ... } }
The parameters
object passed to the Lambda function contains the
properties in the parameters
argument passed in the RegisterThing request payload.
Pre-provision hook return value
The Lambda function must return a response that indicates whether it has authorized the provisioning request and the values of any properties to override.
The following is an example of a successful response from the pre-provisioning function.
{ "allowProvisioning": true, "parameterOverrides" : { "Key": "newCustomValue", ... } }
"parameterOverrides"
values will be added to
"parameters"
parameter of the RegisterThing
request payload.
Note
-
If the Lambda function fails, the provisioning request fails with
ACCESS_DENIED
and an error is logged to CloudWatch Logs. -
If the Lambda function doesn't return
"allowProvisioning": "true"
in the response, the provisioning request fails withACCESS_DENIED
. -
The Lambda function must finish running and return within 5 seconds, otherwise the provisioning request fails.