如何授予对 1000 (100,000) 个远程部署设备(客户站点服务器)的访问权限以将日志上传到 aws kinesis?
[英]How do I give access to 1000's (100,000) of remote deployed devices (customer site servers) to upload logs to aws kinesis?
问题描述
There are close to 100,000 devices that are generating logs (total of 10-20 TB a day) which I would like them to directly upload to kinesis.
有近 100,000 台设备正在生成日志(每天总计 10-20 TB),我希望它们直接上传到 kinesis。 How do I control access?如何控制访问? IAM only lets me create a max of 1000 users per account (I know we can request user limit increase), but would like to know what is a better way to do this. IAM 只允许我为每个账户创建最多 1000 个用户(我知道我们可以请求增加用户限制),但想知道有什么更好的方法来做到这一点。
One requirement is, I would like to be able to grant/revoke access to kinesis per device.一个要求是,我希望能够授予/撤销对每台设备的 kinesis 访问权限。
1 个解决方案
解决方案1
0 2021-04-22 22:39:25
Since you have IoT Core already, I think that I would first try to leverage it for logging.由于您已经拥有 IoT Core,我想我会首先尝试利用它进行日志记录。 This will let you take advantage of the certificate-based authorization that's built-in to IoT core, and I know that you can hook an IoT topic into a Kinesis stream.这将使您能够利用内置于 IoT 核心的基于证书的授权,而且我知道您可以将 IoT 主题挂接到 Kinesis stream 中。
If you feel that this would be too much volume (and perhaps too expensive based on the number of messages and rules), then I'd provide my devices with temporary security credentials that let them write to Kinesis and nothing else.如果您觉得这将是太大的容量(并且基于消息和规则的数量可能太昂贵),那么我会为我的设备提供临时安全凭证,让它们写入 Kinesis 而不是其他任何东西。
You would generate these credentials on a per-device basis (as far as I can tell, there are no quotas on the number of credentials per account), using a scheduled job, either in Lambda or on ECS.您将在 Lambda 或 ECS 中使用计划作业,在每个设备的基础上生成这些凭据(据我所知,每个帐户的凭据数量没有配额)。 This job would iterate through your devices and generate a set of credentials for each.这项工作将遍历您的设备并为每个设备生成一组凭据。 It would then either publish these credentials to the device via IoT Core, or update the device shadow.然后,它将通过 IoT Core 将这些凭据发布到设备,或更新设备影子。
The device could then use these credentials to create a Kinesis client to publish log messages.然后,设备可以使用这些凭据创建 Kinesis 客户端来发布日志消息。 Your client would have to create a new client whenever it receives new credentials.您的客户端在收到新凭据时必须创建一个新客户端。
As an alternative, if your devices maintain logfiles internally, you could use a similar approach to trigger uploading those files to S3.作为替代方案,如果您的设备在内部维护日志文件,您可以使用类似的方法来触发将这些文件上传到 S3。 In that case, rather than publishing temporary credentials, the scheduled task would publish a pre-signed URL for each device.在这种情况下,计划任务不会发布临时凭证,而是为每个设备发布预签名的 URL 。 It would publish the URL to the device, and the device would use that to upload its accumulated logs.它将 URL 发布到设备,设备将使用它来上传其累积的日志。 Then you'd need something to do something with the files on S3.然后你需要对 S3 上的文件做一些事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.