Mender 3.4 release: Provision devices to AWS IoT Core

Mender 3.4 now supports native integrations with AWS IoT Core. Most notably, it can provision devices to your AWS IoT Core instance, so your device applications are ready to send and receive data to and from the AWS services. This avoids the hassle of certificate and key pair generation and management for your AWS IoT applications.

These integrations are available in all Mender plans, as well as in Mender Open Source.

What is AWS IoT Core used for?

IoT Core is the AWS solution for connecting to the cloud and managing devices (Things, in the AWS jargon). It supports different communication protocols, like MQTT, HTTPS and MQTT over WebSockets, securing the communication between the devices and the cloud using mutual authentication and end-to-end encryption.

Additionally, you can associate Device Shadows to Things in IoT Core. These are JSON documents with “desired” (user set) and “reported” (from device) properties which are automatically synced between the devices and the cloud.

The value of Mender integrating with AWS IoT Core

Let us assume you are using AWS IoT Core for IoT application telemetry and Mender to deploy OTA firmware and software updates, which is the typical situation for many Mender users today. Mender and AWS have been completely separate from each other, but you still need to connect every device to both to achieve the described use cases.

First off, this means provisioning and managing separate key and certificate materials on the device itself and making sure the device is created in both services. Suppose this registration process has some (partial) failures. In that case, it can create severe issues over time because either the device would not be able to send application data and/or not be able to receive OTA updates. The ideal situation is you register the device once in a single system and ensure it is synchronized, even when rotating keys.

Secondly, you want one place to look up and control information about the device and its application. Where do you go? Mender users would use Mender, but it did not have all the information about a device, such as the AWS Device ID or Device Shadow. You could build a homegrown, internal system that “glues” information from AWS IoT Core and Mender together, offering a single place of registration and device information, but this is not ideal. You will spend your time developing and maintaining infrastructure instead of focusing your time and energy on product development, which is why you bought these services in the first place.

To solve these challenges, Mender 3.4 enables users to provision and manage credentials and device information directly in Mender. From now on, Mender takes care of synchronizing it with AWS IoT Core and the device.

Provision devices to AWS IoT Core

The first challenge when starting to use AWS IoT Core is device provisioning. You will need to generate the keys and then somehow transfer these keys to each device. It can work as a manual process for development or testing purposes. Still, there is a more significant challenge in scaling this up securely, especially since device credentials need to be unique.

Mender 3.4 solves this problem for you since you can integrate your AWS IoT Core into it: it will manage your devices in AWS IoT Core by using the already-existing secure channel to the device.

When you accept a new device in Mender, the server will automatically create the same device in your AWS IoT Core by generating a new dedicated private key and certificate to authorize it.

With the Mender Configure add-on, Mender will also distribute the crypto materials for AWS IoT Core to the device, so it is ready to use. Your applications running on the device and AWS IoT Core can obtain the private key and certificate to start sending data immediately.

Mender will continue to manage the device life-cycle and synchronize it to AWS IoT Core. So, for example, if the device becomes Rejected in Mender, Mender will disable it in AWS IoT Core. It means less maintenance and no need for API-based integrations, as you only need to manage the device life-cycle in one place: the Mender server.

Manage Device Shadows in Mender

Mender contains inventory information about every device, such as IP address, geolocation data, and installed software versions. The primary uses for this in Mender are grouping devices, e.g., by region or time zone, and troubleshooting single devices.

However, when using AWS IoT Core, additional information about each device is available in a separate system. This again creates the issue of managing data from multiple sources. For example, to deploy an urgent security update to the application with Mender, you might need to configure it to accept all updates immediately through a property in its Device Shadow. But that would mean you’ll need to log into AWS IoT Core and find the same device there first. This is very cumbersome and error-prone.

To address this issue with disparate sources of information, Mender introduces a second integration to manage AWS Device Shadows directly in the Mender UI (and APIs). This makes all the information about the device available in a single place: the Mender server.

The Mender server synchronizes the Device Shadow to AWS IoT Core, as shown in the diagram below.

The Device Shadow is available under the Mender UI's device details.

When there are support cases or issues with devices, there is no longer any need to look up information from different sources, which will save valuable operational and debugging time.

In most cases, a Device Shadow's desired and reported properties will eventually converge. This is why Mender also shows a diff interface for any differences between them, so it is easy to identify properties and values that are not (yet) synchronized and thus discover any issues that may need attention.

Try the new features

Here are some pages with more information to get you started with Mender:

• Get started - The best place to do a quick test of the new release from scratch. Sign up for a new Free trial, and all features and add-ons are available for 12 months for free.
• AWS IoT Core in Mender docs - More in-depth information on how the integrations work, including architecture.

Share your feedback

We appreciate your general feedback on Mender, be it positive or need for improvement, in the Mender Hub General Discussions forum. Your continued feedback ensures Mender will meet your needs even better in the future!

If you believe you have encountered a bug, please submit your report at the Mender JIRA issue tracker.

We hope you enjoy the new features and are looking forward to hearing from you!