I am setting up an IoT device using this library (https://github.com/odelot/aws-mqtt-websockets) to connect to the AWS IoT service. I have it working and it works well, however, I have a bit of a question about the device's use of an AWS user's secret key.
In order to set up the library, you create an IAM user with only IoT permissions, then generate a key and secret and load that onto the IoT device. The IoT device then uses that information to connect through the library to the AWS IoT MQTT service.
I was always taught to NEVER put a secret key onto a client facing device. So, I am wondering
- Is this secure / how so?
- Do I need to create a new IAM user for every account?
- Is this common practice?
- Would a service such as Cognito be better?
Nope you don't put IAM User Access key and Secret key onto the end user device. Never. And you don't create IAM User for each IoT node either.
Instead each AWS IoT device will get its own IoT credential file (created as part of the device registration). Not the IAM keys but these IoT keys are what you upload to the device.
I believe there are 3 PEM files per device - certificate, private key and public key.
Hope that helps :)