Skip to content

IAM Access Keys

Ioto can automatically generate and distribute IAM access keys to devices so the device can interact with the Device Cloud or AWS services.

The IAM keys are temporary access keys that expire each hour. The Ioto agent will automatically refresh these keys as required.

Enabling IAM Keys

To enable generation of temporary IAM keys, set the keys property of the services.cloud property in the config.json5 agent configuration file to true.

1
2
3
4
5
6
7
{
    services: {
        cloud: {
            keys: true
        }
    }
}

When the keys property is set to true, the Ioto agent will retrieve from your Device Cloud a set of temporary IAM credentials that can be used to sign AWS API requests using the Ioto agent aws APIs or to use with the AWS C API SDK.

These keys will be automatically refreshed 20 minutes before expiring, so you can rely on using these keys to be valid for 20 minutes.

IAM Role

The generated keys are based on the Device Cloud IAM role in the device cloud. This defaults to the IAM role named: IotoDeviceAccess. However, you can change this using the Builder Site to any custom role you choose.

You should follow the principle of least privilege and ensure you scope all privileges granted to your devices are scoped to specific resources and only granting access to AWS APIs that are absolutely required.