question

RickMandrey-6200 avatar image
0 Votes"
RickMandrey-6200 asked SatishBoddu-MSFT commented

help creating SAS tokens

124692-brx-azure-connection-guide.pdf
The questions below related to the instructions provided in the .pdf document. I know its a long read, but could really use some help connecting a BRX plc to AZURE. ive got most of it done, just need help with creating the SAS tokens.

I believe I need to run the python script twice, once for the DPS SAS token, and again for the Device SAS token, but with different parameters, correct?

For the DPS SAS token, does this124732-reg1.png refer to the Registration ID mentioned on page 1?

When creating the Device SAS token my output has a text string on the end that the example does not have.


124703-devicesastkn1.png124731-devicesastkn2.png



should I just delete this?


azure-iot
devicesastkn1.png (121.0 KiB)
devicesastkn2.png (27.0 KiB)
reg1.png (10.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SatishBoddu-MSFT avatar image
0 Votes"
SatishBoddu-MSFT answered SatishBoddu-MSFT commented

Hello @RickMandrey-6200 Thanks for posting this interesting device usage with Azure DPS.

**Question**: For the DPS SAS token, does this refer to the Registration ID mentioned on page 1?

Answer: this is hardcoded to ‘registration’ See below for full explanation
Below is the courtesy of Steve Busy's blog reference, which I always keep in handy.

 uri = ‘[resource_uri]’
 key = ‘[device_key]’
 expiry = [expiry_in_seconds]
 policy=’[policy]’

[resource_uri] – this is the URI of the resource you are trying to reach with this token. For DPS, it is of the form ‘`[dps_scope_id]/registrations/[dps_registration_id]`’,

[dps_scope_id] is the scope id associated with your DPS instance, found on the overview blade of your DPS instance in the Azure portal, and

[dps_registration_id] is the registration_id you want to use for your device. It will be whatever you specified in an individual enrollment in DPS, or can be anything you want in a group enrollment as long as it is unique. Frequently used ideas here are combinations of serial numbers, MAC addresses, GUIDs, etc

[device_key] is the device key associated with your device. This is either the one specified or auto-generated for you in an individual enrollment, or a derived key for group enrollment, as explained a little further below

[expiry_in_seconds] the validity period of this SAS token in sec… ok, not going to insult your intelligence here

[policy] the policy with which the key above is associated. For DPS device registration, this is hardcoded to ‘registration’


Documentation to refer: https://docs.microsoft.com/en-us/azure/iot-dps/concepts-symmetric-key-attestation?tabs=windows#detailed-attestation-process
Security token structure

Very detail oriented helpful blog: azure-iot-device-provisioning-service-via-rest-part-1Azure IoT Device Provisioning Service via REST–part 1 & 2

**Question**: When creating the Device SAS token my output has a text string on the end that the example does not have.
Answer: A sample result would look like this. Please refer to the official documentation, Please follow the above documentation or the blog to generate the SAS token and let us know in the comment section.


125173-image.png


Updated: 9/2/2021

VS code Editor.

128838-image.png

 from base64 import b64encode, b64decode
 from hashlib import sha256
 from time import time
 from urllib import parse
 from hmac import HMAC
    
 def generate_sas_token(uri, key, policy_name, expiry=3600):
     ttl = time() + expiry
     sign_key = "%s\n%d" % ((parse.quote_plus(uri)), int(ttl))
     #print sign_key
     signature = b64encode(HMAC(b64decode(key), sign_key.encode('utf-8'), sha256).digest())
    
     rawtoken = {
         'sr' :  uri,
         'sig': signature,
         'se' : str(int(ttl))
     }
    
     if policy_name is not None:
         rawtoken['skn'] = policy_name
    
     return 'SharedAccessSignature ' + parse.urlencode(rawtoken)
    
 IoTHubName="saboddwesteuroiothub"
 deviceID="mytestdevice"
    
 resource_uri = IoTHubName + ".azure-devices.net" + "/" + "devices" + "/" + deviceID
 policy_name = "iothubowner"
    
 uri = resource_uri
 key = "a5IfrGNsiszLC7jNHD2n35vP3sW6ertyuiopkjgdscvnmozOtUDTtevlNlg=="
 expiry = 3600
 policy= "None"
    
 print (generate_sas_token(uri, key, policy, expiry))

Please comment in the below section if you need further help in this matter.



image.png (11.8 KiB)
image.png (100.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your prompt detailed response125426-brx-azure-connection-guide.pdf.


Unfortunately I’m not a programmer by trade, and am struggling to learn as I go.

Referencing the attached document, pages 2-4 reference a Python program used to create the DPS SAS Token. I downloaded the most recent version of Python, and was able to get some output, but I don’t believe its correct, and am confused by the inputs that generate it. Page 13 also requires using the Python program, AND provides details for the inputs and an example, PERFECT! Something like this for the DPS SAS token would be super helpful!

’ve been reviewing the documentation on the Microsoft website, but could really use some help creating the DPS SAS token.

Regarding the Python program described on pg 3-4. Am i supposed to edit (i'm quite certain i am, just confirming)
125442-uri.png125432-uri2.png

I dont understand the uri pieces "scopeId/registrations/registrationId". where would i got to find them? how should they be entered into this python program?

I still have no idea what the policy is. You previously answered" this is hardcoded to ‘registration’" but i dont understand what you mean.

IThanks again for all your prior help, and any additional help you can provide.


0 Votes 0 ·
uri.png (12.9 KiB)
uri2.png (4.4 KiB)

Hello @RickMandrey-6200 Sorry for the delayed response, I have updated my Answer with the python code to generate the Sas token.

Please refer to the above answer and make use of the Python code in any of your code editors like VS code and generate the SAS token.

Please let me know if you need further help in this matter.

0 Votes 0 ·