Skip to content

Latest commit



103 lines (71 loc) · 2.72 KB

File metadata and controls

103 lines (71 loc) · 2.72 KB

Serverless Certificate Vending Machine

Based on awslabs/aws-iot-certificate-vending-machine this deployment uses Serverless framework instead

Serverless Certificate Vending Machine is a pattern for managing AWS IoT Devices in a secure and repeatable way. Learn how to deploy your own CVM and onboard new devices.


Setup Serverless

npm install -g serverless
serverless config credentials --provider aws --key <ACCESS KEY ID> --secret <SECRET KEY>


serverless plugin install -n serverless-pseudo-parameters

Add the following to the serveress.yml file

  - serverless-pseudo-parameters

Env File

Create a copy of env.yml.sample as env.yml and update the IOT_DATA_ENDPOINT variable with the endpoint address from the following commnad

aws iot describe-endpoint --endpoint-type iot:Data-ATS

# {
#     "endpointAddress": ""
# }


npm install
serverless deploy

# api keys:
#   None
# endpoints:
#   GET -
#   ANY -
# functions:
#   cvm: serverless-cvm-dev-cvm
# layers:
#   None

Create Device

Replace the device token with something secure and add a new entry to the DB

aws dynamodb put-item \
  --table-name iot-cvm-device-info \
  --item '{"deviceToken":{"S":"1234567890"},"serialNumber":{"S":"devopstar-iot-01"}}'

Retrieve Certificates

Run the following command to generate the certificates based on the json recieved from the request.

Note: You'll need jq installed for this

./ ""

This should create your certs in the following files based on the json keys

  • iot-certificate.pem.crt: certificatePem
  • iot-private.pem.key: keyPair.PrivateKey
  • iot-root-ca.crt: RootCA

Shadow State

PUT Shadow State

curl \
  -d '{"deviceAttribute":"CVM"}' \
  -X PUT ""

GET Shadow State

curl -X GET ""
