How to provision an IoT Device to Google Cloud IoT Core

provision-Devices-IoT-Core.md

Provisioning Devices to Google Cloud IoT Core

When deploying IoT devices on a global scale, many considerations have to be put in place. Remote accessibility, security, device management, simplicity, flow control, reliability, low latency, redundancy, integration with other cloud services represent some of the important considerations. To meet most of the requirements needed in deploying devices on a global scale, one has little or no option but to look to cloud platforms.

Google’s cloud platform provides Cloud IoT Core solution to meet the demands of secure and scalable IoT. Cloud IoT Core is a fully managed service to securely connect and manage a global device network. It features https/MQTT endpoints, automatic load balancing and global data access with Pub/Sub. Cloud IoT Core acts as a device manager and the integration with Pub/Sub enables IoT Core to also act as a communication broker. The use of Cloud IoT also ensures highway access to the rest of Google’s cloud platform.

To show off the simplicity of connecting a device to Cloud IoT Core, we are going to register a device on it, and use a sample to connect a virtual device and publish device telemetry events.

To begin;

• Select or create a new project on the Manage resources page in the GCP Console
  Manage resources page
• Ensure billing is enabled
  Learn how to enable billing
• Enable the Cloud IoT Core and Cloud Pub/Sub APIs
  Enable the APIs

Let’s go ahead and create a device registry – this is used to group a set of devices;

• Go to Google Cloud IoT Core page in the GCP Console
• Click Create a registry
• Enter my-registry for the Registry ID
• Select us-central1 for the Cloud Region
• Select MQTT for the Protocol
• In the Telemetry topic dropdown list, select Create a topic
• In the Create a topic dialog, enter my-device-events in the Name field
• Click Create in the Create a topic dialog
• Leave the other fields in their default state
• Click Create on the Cloud IoT Core page.

We just created a device registry with a Cloud Pub/Sub topic for publishing device telemetry events. Next, we add a device to the registry.

• Click Add device on the Registry Details page.
• Enter my-device for the Device ID
• Select Allow for Device communication
• Leave the other fields in their default state
• Click Add

Having just added a device to the registry, we shall be adding a public key to the device. In order to do this, we shall be making use of the Google Cloud Shell which comes with Cloud SDK and Node.js already installed. Click the Activate Cloud Shell button at the top of the Google Cloud Platform Console.

When the Cloud Shell starts, do the following:

• Run the multi-line command below to create an RS256 key

openssl req -x509 -newkey rsa:2048 -keyout rsa_private.pem -nodes -out rsa_cert.pem -subj "/CN=unused"

• Enter the command below to display the public key

cat rsa_cert.pem

• Copy the contents, ensure to include the lines that say

-----BEGIN CERTIFICATE-----to -----END CERTIFICATE-----

• On the Device details page for the device created in the preceding section, click Add public key
• Select RS256_X509 for the Public key format
• Paste your public key in the Public key value box
• Click Add

An RS256_X509 key appears on the Device details page for your device. At this point, we are homestretch, all that remains is to connect the device and start to view telemetry.

Let’s connect a virtual device and read messages published to the telemetry topic.

• In the Cloud Shell, run the command below to clone a repo from GitHub

git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples

• Navigate to the iot/mqtt_example

cd nodejs-docs-samples/iot/mqtt_example

• Copy rsa_private.pem to the current directory (iot/mqtt_example), with the following command

cp ../../../rsa_private.pem .

• Install Node.js dependencies

npm install

• Run the following command to create a subscription to the registry’s Pub/Sub topic, substituting your PROJECT_ID

gcloud pubsub subscriptions create \projects/PROJECT_ID/subscriptions/my-subscription --topic=projects/PROJECT_ID/topics/my-device-events

• Run the following command to connect the virtual device to Cloud IoT Core using MQTT protocol, substituting your PROJECT_ID and REGION

node cloudiot_mqtt_example_nodejs.js --projectId=PROJECT_ID --cloudRegion=REGION --registryId=my-registry --deviceId=my-device --privateKeyFile=rsa_private.pem --numMessages=25 --algorithm=RS256 --mqttBridgePort=443

• To read the messages published to the telemetry topic, substitute for your PROJECT_ID in the following

gcloud pubsub subscriptions pull --auto-ack \projects/PROJECT_ID/subscriptions/my-subscription

Once you run step 7 above, you should be able to see a similar output as the one below.

Congratulations! You have been able to connect a device to Cloud IoT Core and viewed telemetry data. Take out more time to explore more of Cloud IoT Core.

Hi, your tutorial is very good, and thanks for the good explanation.
but my question is, what if we have to distribute the hardware to the client?
In the case of multiple devices, will there be different private key-public key pair or the same?
Do we have to repeat the above process for all new devices? hardware?
is there any way to automate this?

For example, a real scenario will be that all the IoT device will be purchased by some third-party client,
what he wants is to authenticate and register a device with his own credentials so that it can only accept command sent by him and only receive data sent for him.

How can we achieve this.?

Currently, I have one set up for my own business.
I have my own oAuth server setup for hardware and software services.
Also, have an MQTT service running which is authenticated with same auth server with ACLs

So each client has to register on this companion server and then register the device by scanning a code on the device (with the help of companion app+server).
now the device only works in this client's userspace.

Can you explain the same thing in relation with Google IoT Cloud?
Although your title says it but you have not explained that part in it.

Hello bkrajenda, Cloud IoT Core has APIs for the purpose of automation. With the API, device registries with devices can be created and certificates can be added. When you generate the CA certificates, you can then use the API to add the registry-level certificates, while you copy the private key on the device. Check out the documentation on the Google Cloud IoT Core API

I understand its there, but there are many practical things here, which need to be explained somewhere. For ex:
How to copy these private keys on the device which will be sold to customers, before selling the device or after the device goes to the customer?
How is it possible to do a device registration after the device is sold to customer.?
How can we make this process plug and play for the customer?

I understand I am asking too much, but these are some practical questions and I think it will be better if these are there in the opensource domain.

I agree with bkrajendra.

How is it possible to do a device registration after the device is sold to customer.?

Yeah. If at all we have to mass produce a particular type of device, like say a smart bulb. Please let us know how to automate onboarding process of these multiple devices in a particular registry in IoT core.
How do we add each device in a registry automatically or tell us if it can happen automatically when a registered user connects to that new device which may help us in limiting over production of devices?
how to add private key to the device automatically?
how to send the key to a user for registering/provisioning a device without QR codes just by using any communication protocols like softAP or BLE?
Please comment your response.

To do automatic provisioning for mass produced devices to customers, I usually include a bootstrap certificate in the golden image of the device. A golden image is a production OS burnt to devices. The bootstrap certificate is a certificate shared with a constrained policy that provides access only to the cloud resource responsible for provisioning. A provisioning script (a script that runs on the device on first boot) provides the bootstrap certificate to the provisioning server, along with any other authenticating information (I mostly use the device serial number gotten during the production of the device). The provisioning server validates the bootstrap certificate, looks up the serial number in a database to ascertain the device, and then generates and transfers a unique certificate to the device for access to the required resources on the cloud service.
Please note that I use the term provisioning server to abstract away google cloud iot core. So that the concept can be cloud provider agnostic.
@balasubrahmanyasharmavedam @ben700 @bkrajendra

@ajudges, thanks for the explanation.
Exactly the same thing I learned recently while I was developing a device for government remote monitoring.
I got this understanding from their documentation about the bootstrap certificate and provisioning server.

Thanks for the reply, as sometimes even if we have knowledge about a concept, getting confirmation from other developers makes our understanding about it more strong and clear.

I have something might help, contact me privately

cy that provides access only to the cloud resource responsible for provisioning. A provisioning script (a script that runs on the device on first boot) provides the bootstrap certificate to the provisioning server, along with any other authenticating information (I mostly use the device serial number gotten during the production of the device). The provisioning server validates the bootstrap certificate, looks up the serial number in a database to ascertain the device, and then generates and transfers a unique certificate to the device for access to the required resources on the cloud service.
Please note that I use the term provisioning server to abstract away google cloud iot core. So that the concept can be cloud provid

Is there a code example of doing this somewhere? Complete newbie here and the docs are overwhelming and confusing. I'm starting to understand a little bit but more examples of how to deploy real world products would help speed my learning.

You can ask me privately

benslittlebitsandbobs@gmail.com

I've got an example but not from the device, from the script loading firmware to device chipId = ESP8266ROM.chip_id(ESPLoader.detect_chip()) def createDevice(): //create the keys cmd = "openssl ecparam -genkey -name prime256v1 -noout -out " + homeDir + "/.ssh/droneKeys/" + devicePrivateKey os.system(cmd) cmd = "openssl ec -in " + homeDir + "/.ssh/droneKeys/" + devicePrivateKey + " -pubout -out " + homeDir + "/.ssh/droneKeys/" + devicePublicKey os.system(cmd) cmd = "openssl ec -in " + homeDir + "/.ssh/droneKeys/" + devicePrivateKey + " -outform der -out " + homeDir + "/.ssh/droneKeys/" + devicePrivateKeyDer os.system(cmd) cmd = "openssl req -new -sha256 -key " + homeDir + "/.ssh/droneKeys/" + devicePrivateKey + " -out " + homeDir + "/.ssh/droneKeys/" + devicePrivateKeyCsr + " -subj '/CN=unused'" os.system(cmd) //save the keys cmd = "cp " + homeDir + "/.ssh/droneKeys/" + devicePrivateKeyDer + " " + privateKeyFilePath os.system(cmd) cmd = "cp " + homeDir + "/.ssh/droneKeys/" + devicePublicKey + " " + publicKeyFilePath os.system(cmd) //create the device on GCP cmd = homeDir + "/google-cloud-sdk/bin/gcloud config set project " + gcloudProject os.system(cmd) cmd = homeDir + "/google-cloud-sdk/bin/gcloud iot devices create " + deviceName +" --region="+droneRegion+" --registry="+droneRegistry+" --public-key path=" + publicKeyFilePath + ",type=es256" os.system(cmd) //create a QR code for user to scan and link account to device after purchase count = len(open(publicKeyFilePath).readlines( )) f = open(publicKeyFilePath, "r") head = f.readline() key ="" i=2 while i<count: key += f.readline().strip().replace("+","%2B") i = i +1 url = "https://chart.googleapis.com/chart?cht=qr&chs=400x400&chl={\"serial_number\":\"" + deviceName url += "\",\"type\":\"" + namePrefix url += "\",\"public_key\":\"" + key + "\"}" urllib.request.urlretrieve(url, qRFilePath ) cmd = "cp " + qRFilePath + " ~/.ssh/droneKeys/" + deviceQRFilePath os.system(cmd)

…

On Tue, 20 Jul 2021 at 20:25, Baltimore Hackerspace < ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ cy that provides access only to the cloud resource responsible for provisioning. A provisioning script (a script that runs on the device on first boot) provides the bootstrap certificate to the provisioning server, along with any other authenticating information (I mostly use the device serial number gotten during the production of the device). The provisioning server validates the bootstrap certificate, looks up the serial number in a database to ascertain the device, and then generates and transfers a unique certificate to the device for access to the required resources on the cloud service. Please note that I use the term provisioning server to abstract away google cloud iot core. So that the concept can be cloud provid Is there a code example of doing this somewhere? Complete newbie here and the docs are overwhelming and confusing. I'm starting to understand a little bit but more examples of how to deploy real world products would help speed my learning. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/74b1bb96b928befa6986c0f35a5b2d52#gistcomment-3821060>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA5Z552CII6YZ2SMYRDHKGLTYXETFANCNFSM4HJ23UCA> .