Cloud IoT Provisioning with Google Cloud
Note: Google has issued a deprecation notice for the Cloud IoT service due to shutdown in August 2023. Balena's provisioning support for GCP IoT Core will not receive further updates. See ClearBlade-GCP for a replacement service.
The Google Cloud (GCP) IoT platform provides a valuable suite of services to collect, store, and distribute IoT data and actions. Its IoT Core service is the portal for registration and messaging with Internet-connected things. We want to make it easy for balena devices to register and interact with IoT Core.
Our IoT provisioning tools automate device registration to GCP IoT Core, and leverage balenaCloud and environment variables to store and access the registration credentials. This guide shows you how provisioning works and gets you started with the tools in the gcp-iot-provision repository.
How It Works
Provisioning includes three components:
- Service Container like Cloud Relay block on a device to request the provisioning and use the credential environment variables from balenaCloud
- Cloud function to securely validate device identity and register the device with IoT Core, triggered by an HTTP request (source code)
- balenaCloud to accept and store the generated key/certificate credentials for the device
The cloud function first validates the device UUID in the provision request with balenaCloud. Then it generates a public key pair and registers with the IoT Core service. The function then provides the generated credentials to balenaCloud, which stores and pushes them to the device as environment variables for use by the service container.
In addition to registration, Cloud Relay block makes it easy to send data to Google Cloud. It integrates with balena's block ecosystem for application development and messaging. So you only need to send your data to an MQTT container on the device, and the block handles all of the interaction with IoT Core.
Note: A service container like Cloud Relay on the device is not required to send the provisioning request. You may call the cloud function HTTP endpoint from your compute infrastructure to pre-generate the key/certificate for the cloud. However, the device must be registered already with balenaCloud.
The tools described here automate per-device integration with Google Cloud. However, first you must complete some initial one-time configuration on your GCP account. See the GCP setup section of the provisioning repo documentation for details.
Create, Deploy, and Test Cloud function
The provisioning tools set up the Cloud function itself as well as a
provision HTTP endpoint to request provisioning based on a device's UUID. The workspace setup section of the documentation walks you through creation of this Cloud function and HTTP endpoint, including:
- configuration of the tools for testing and deployment
- testing the function locally
- deployment to GCP and end-to-end testing
The result is a functioning HTTP endpoint on GCP, ready for provisioning requests.
Try a Tutorial
We created a blog post tutorial on device provisioning with AWS IoT and use of Cloud Relay block to send system metrics data. The tutorial also shows how to route data sent to IoT Core on to Cloudwatch for graphing.