Soracom Krypton API for Provisioning AWS IoT Devices with x.509 Credentials

IoT devices, abstract, image by Adobe stock

In this blog, I’m going to show you how to use Soracom Krypton, our device provisioning tool, for bootstrapping. We’ll also learn how to invoke an API in AWS IoT to generate a registration of IoT things and request x.509 provisioning credentials. 

When using Soracom Krypton, your device must first be authenticated in order to secure the provisioning process. Krypton works with several authentication methods and I’m going to show you how to use Soracom Air for cellular to do this. 

Communications between the IoT device and Krypton is secured using SIM authentication and cellular connectivity with Soracom Air. Calls to Krypton’s Provisioning APIs are made over the encrypted cellular connection. Krypton receives the provisioning request and forwards the request to the IoT Service Provider (i.e AWS IoT). Once the Service provider returns credentials to Krypton, the credentials are delivered to the device as an API response.

Soracom Krypton diagram

I’m going to create and use a virtual SIM (vSIM) with a curl command from my Mac desktop. Check out our guide explaining how to set up Soracom ARC with Wireguard before attempting to do this. 

Once this has been set up, the device can then request credentials and receive them in order to begin accessing cloud services via AWS IoT.

Log in to the AWS Management Console from the Services menu, then open the IoT Core dashboard. 

Create an AWS IoT Policy

Click the secure section, then select the Policies screen and click the Create button. I named mine Marks_IoT_Policy. 

This policy is to allow all messages to pass for IoT testing. You may want to limit and filter it for future production environments. Follow the “Create a policy” wizard to configure the device policy your devices should receive when connecting with AWS IoT.

Once the policy has been created, it should show up in the AWS IoT Core dashboard in the list of policies. Note the policy name, as it is required when configuring Krypton

Creating a Group

Now create a group for your newly created things and attach it to your newly created policy.

You are now ready to set up the AWS IoT API to accept requests from Soracom Krypton. 

In order to enable IoT integration, your IAM account must be configured to provide Krypton with programmatic access to AWS IoT. This process only needs to be performed once, and involves the following steps:

  • Create an IAM User account with access to AWS IoT, and generate an Access key ID and Secret access key credential set.
  • Register the credential set on Soracom and configure Krypton.
  • Click the Users section, then click the ‘Add user ‘button.
  • Enter a User name, and enable Programmatic access. Then click the Next: Permissions button.
  • Under the ‘Set permission’ section, click ‘Attach existing policies’ directly.
  • Attach a policy that enables certificate generation.
  • Click the ‘Create policy’ button. A dialog box will pop up.
  • In the create a policy wizard, click ‘Choose a service,’ then search for and select the IoT service of your preference.

Review and Attach Policies to your IAM User

To attach a policy that enables device registration:

Search for the policy ‘AWSIoTThingsRegistration policy’ and click it to attach it to the new user.

Attach a policy that enables the creation of keys:

Search for the policy, ‘AWSIoTCreateKeysAndCertificate’, and click it to attach it to the new user.

You have now added the policy to perform the needed functions in AWS IoT.

Configuring Soracom Krypton

Once your AWS account has been configured using the above steps, you should have the following information:

  • AWS IoT Thing Policy name
  • IAM user Access key ID and Secret access key  

You can then use this information to configure Krypton following the instructions for integrating Krypton with AWS IoT.

Once Krypton has been configured, your devices can begin using its provisioning service.

Soracom Krypton screen shit


Set up and test your connectivity via ARC otherwise, if you are using Soracom Air you should already be connected to the network. Try pinging the Soracom network

We should get a response to the ping proving we are connected to the Soracom network.

Let’s use the following curl script to test if we can create a thing in AWS IoT and retrieve the x.509 credentials.

curl -X POST -H ‘content-type: application/json’

Success! We have received the x.509 credentials and a new IoT Thing was created in AWS IoT, as shown below. 

Soracom Krypton screen shot


Do you have questions about an IoT project? Speak with one of our experts today to learn how Soracom has helped more than 20,000 innovators deploy, scale, and secure their IoT projects.