This chapter show the setup of the Device Registration System. You can get more information for this system in Chapter 1 Overview
- Create Cognito User Pool And Identity Pool
- Create RDS For Storing Registration Data
- Create Lambda Function for Device Registration
- Create API Gateway
- Create Registration website
Amazon Cognito is used to provide user identity for the end users, including sign-up, sign-in features. With Amazon Cognito, users can sign-up and sign-in the account using a website that mentioned in this document.
To do this, you can follow below steps:
-
Go to Congito Console
-
Click Manage User Pools to open Your User Pools browser.
-
Click Create a user pool.
-
Enter a pool name and select Review defaults.
-
Click Create pool to create the user pool.
-
Select App clients in the left panel and click Add an app client to create App Client “webapp" in the user pool just created.
-
Tick the Generate client secret check box.
-
Click Create app client.
-
Select App clients settings.
-
In App Client setting of "webapp", tick the "Cognito User Pool" check box.
-
Additionally tick the "Authorization code grant", “Implicit grant”, "email", "openid", and "profile" check boxes.
-
Enter your website URL to “Callback URL” and “Sign out URL”. You will set up your website and get the URL in the Section Create Registration Website
-
Click Save changes
-
Select “Domain Name”, type the domain name. Click Save Changes. Change the domain name if the domain name is already used by another.
-
Go to Congito Console
-
Click Manage Identity Pools.
-
Click Create new identity pool.
-
Input an Identity pool name
-
In "Authentication providers" of the Identity pool setting, select “Cognito”. Type the “user pool ID” and the “App client ID” of "webapp" (The user pool ID and App client ID is found in the user pool setting page).
-
Click Create Pool. While creating the identity pool, Cognito helps setup two roles in Identity and Access Management (IAM). The example format for the names are: Cognito_<Identity_Pool_Name>Auth_Role and Cognito_< Identity_Pool_Name >Unauth_Role.
Click View Details to see details on the console.
-
Click Allow to create the roles.
The MySQL database in Amazon RDS Service is used to store the registration data. These registration data include the account user name and device thing name. To do this, you can follow below steps:
- Go to RDS Console
- Click Create database
- Select Standard create and MySQL as the engine type.
- Select Free tier in Templates
- Input Master password and Confirmed password in Credentials Settings. Copy and paste the user name and password to notepad for later configuration.
- Type a database name in Additional configuration. Copy and paste the database name to notepad for later configuration.
- Leave other settings to default
- Click Create database button
There are 3 Lambda functions are used for device registration to the user’s Cognito account. These lambda functions are used to register and delete the devices from the RDS database, or get the device infomration from the RDS database.
Before creating the lambda, we need to create the policy for lambda role to access VPC.
-
Go to AWS account IAM console
-
Select Policy in the left panel, click Create Policy button
-
Select JSON tab and paste below content to the policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:AttachNetworkInterface" ], "Resource": "*" } ] } -
Click Next: Tags and Next: Review
-
Input the policy name "lambda_access_vpc_policy", click Create policy
-
Go to AWS account Lambda console (https://aws.amazon.com/lambda/)
-
Click Create Function Button
-
Select below settings:
-
Click Create Function Button in the bottom
-
Go to Tab Configuration, select Environment Variable
Set variable USER_POOL_ID, USER_POOL_APP_CLIENT_ID, USER_POOL_RGION, DB_INSTANCE, DB_NAME, DB_USER_NAME and DB_PASSWORD
USER_POOL_ID is the Cognito User Pool ID. You created User Pool in Chapter 3.1 Create Congito User Pool And Identity Pool
USER_POOL_APP_CLIENT_ID is the ID of the Cognito User Pool APP Client “webapp’. You create this APP client in Chapter 3.1 Create Congito User Pool And Identity Pool USER_POOL_Region is the Cognito User Pool region.
DB_INSTANCE is the RDS database instance name; DB_NAME is the RDS database name; DB_USER_NAME and DB_ PASSWORD are the user name and password of the RDS database. you set these values when you create the database at Chapter 3.2 Create RDS For Storing Registration Data -
Go to Tab Configuration, select Permission, click the execution role name
-
Add "lambda_access_vpc_policy" Policy to the role
-
Go to Tab Configuration, select VPC, edit the VPC be the default VPC, Subnets be the region b subnet (private subnet we defined in section Create NAT Gateway And Route table), and Security groups be the default one.
-
Go to Tab Code, click Upload from select .zip file, upload file
mchpiot-registerdevice.ziploacated in\03_device_registration_system_setup\resources\software -
Modify the keys variable defined in the function validateToken() in lambda_function.py
The keys is JSON Web Key Set (JWKS) of your Congito user pool which is used to decode the JWT token from the user pool. You can get your JWKS at"https://cognito-idp.{region}.amazonaws.com/{cognito_userPoolId}/.well-known/jwks.json"
Example: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_p4I1303Gm/.well-known/jwks.json
-
Click Deploy button in the Code source page
-
Go to AWS account Lambda console (https://aws.amazon.com/lambda/)
-
Click Create Function Button
-
Select below settings:
-
Click Create Function Button in the bottom
-
Go to Tab Configuration, select Environment Variable
Set variable USER_POOL_ID, USER_POOL_APP_CLIENT_ID, USER_POOL_RGION, DB_INSTANCE, DB_NAME, DB_USER_NAME and DB_PASSWORD
USER_POOL_ID is the Cognito User Pool ID. You created User Pool in Chapter 3.1 Create Congito User Pool And Identity Pool
USER_POOL_APP_CLIENT_ID is the ID of the Cognito User Pool APP Client “webapp’. You create this APP client in Chapter 3.1 Create Congito User Pool And Identity Pool USER_POOL_Region is the Cognito User Pool region.
DB_INSTANCE is the RDS database instance name; DB_NAME is the RDS database name; DB_USER_NAME and DB_ PASSWORD are the user name and password of the RDS database. You set these values when you create the database at Chapter 3.2 Create RDS For Storing Registration Data -
Go to Tab Configuration, select Permission, click the execution role name
-
Add "lambda_access_vpc_policy" Policy to the role
-
Go to Tab Configuration, select VPC, edit the VPC be the default VPC, Subnets be the region b subnet (private subnet we defined in section Create NAT Gateway And Route table), and Security groups be the default one.
-
Go to Tab Code, click Upload from select .zip file, upload file
mchpiot-getuserdevices.ziploacated in\03_device_registration_system_setup\resources\software -
Modify the keys variable defined in the function validateToken() in lambda_function.py
The keys is JSON Web Key Set (JWKS) of your Congito user pool which is used to decode the JWT token from the user pool. You can get your JWKS at"https://cognito-idp.{region}.amazonaws.com/{cognito_userPoolId}/.well-known/jwks.json"
Example: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_p4I1303Gm/.well-known/jwks.json
-
Click Deploy button in the Code source page
-
Go to AWS account Lambda console (https://aws.amazon.com/lambda/)
-
Click Create Function Button
-
Select below settings:
-
Click Create Function Button in the bottom
-
Go to Tab Configuration, select Environment Variable
Set variable USER_POOL_ID, USER_POOL_APP_CLIENT_ID, USER_POOL_RGION, DB_INSTANCE, DB_NAME, DB_USER_NAME and DB_PASSWORD
USER_POOL_ID is the Cognito User Pool ID. You created User Pool in Chapter 3.1 Create Congito User Pool And Identity Pool
USER_POOL_APP_CLIENT_ID is the ID of the Cognito User Pool APP Client “webapp’. You create this APP client in Chapter 3.1 Create Congito User Pool And Identity Pool
USER_POOL_Region is the Cognito User Pool region.
DB_INSTANCE is the RDS database instance name; DB_NAME is the RDS database name; DB_USER_NAME and DB_ PASSWORD are the user name and password of the RDS database. You set these values when you create the database at Chapter 3.2 Create RDS For Storing Registration Data -
Go to Tab Configuration, select Permission, click the execution role name
-
Add "lambda_access_vpc_policy" Policy to the role
-
Go to Tab Configuration, select VPC, edit the VPC be the default VPC, Subnets be the region b subnet (private subnet we defined in section Create NAT Gateway And Route table), and Security groups be the default one.
-
Go to Tab Code, click Upload from select .zip file, upload file
mchpiot-deleteuserdevces.ziploacated in\03_device_registration_system_setup\resources\software -
Modify the keys variable defined in the function validateToken() in lambda_function.py
The keys is JSON Web Key Set (JWKS) of your Congito user pool which is used to decode the JWT token from the user pool. You can get your JWKS at"https://cognito-idp.{region}.amazonaws.com/{cognito_userPoolId}/.well-known/jwks.json"
Example: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_p4I1303Gm/.well-known/jwks.json
-
Click Deploy button in the Code source page
There is a web page for user to register the device. This webpage uses HTTP API to work with the cloud to manage the device registration. You need to use Amazon API Gateway Service to create HTTP API and work with the Lambda functions for device registration.
Below table show the routes of the API you need to create.
| Method | Resource Path | Integrations | Usage |
|---|---|---|---|
| GET | mchpiot-deleteuserdevices | Lambda function: MCHPIOT-Test-deleteuserdevices | Deregister the device |
| GET | mchpiot-getuserdevices | Lambda function: MCHPIOT-Test-getuserdevices | Get the registered device list |
| POST | mchpiot-registerdevice | Lambda function: MCHPIOT-Test-registerdevice | Register the device |
Steps:
- Go to Amazon API Gateway console
- In the navigation pane, choose APIs.
- Click Create API
- Choose HTTP API, click Build
- Set a name for the API
- Click Add integration to add the integrations. The integrations are the backend services that the API will communicate with. According to the above table, we have 4 integrations needed to be added. All these integrations are Lambda function. Below picture show the added integrations.
- Click Next
- Configure the routes as below picture, click Next
- Keep the Stage name as $default, click Next
- Click Create
- After you create, they API, you can find the Invoke URL of this API in the details of the API. Copy this URL as this URL is needed in the webpage and in some of the Lambda functions.
You can use Github to host the registration website. Setup steps:
-
Create and login to your Github account
-
Create a repository named “mchpiotcontrol” for the website code.
-
Unzip the website_code.zip to get the content of the website, do below change in the index.html
- Search and replace all “https://xxxxxxx.execute-api.us-east-2.amazonaws.com" with the API Gateway URL. You can get the url in Chapter 3.4 Create API Gateway, step 11
- Input below items for Cognito configuration
-
Upload all the website code in this repository
-
Go to the Settings of the repository, set the Source of the GiHub Pages like below picture
-
User can access the website at https//<GITHUB_ID>.github.io/mchpiotcontrol
