Scaleway Elements IoT Hub - Devices

IoT Hub Devices - Overview

A Device is a representation of a device or program that is connected to the cloud. Through a Hub, it exchanges messages with other Devices and cloud services.

Devices and their Hub use the MQTT protocol to send and receive messages.

The Hub provides per-device usage metrics, see this page for more information.

Identification and Security

Each Device has a unique identifier (Device ID) that is used both for API calls and for MQTT connections. Your MQTT clients should use it as the MQTT Username. Alternatively you can also use it as MQTT Client ID instead but we do not recommend it for new applications as this option is now deprecated.

By default, you can only open a single connection per Device. Opening a second one with the same credentials will terminate the first one so you will notice if your device credentials are used by another MQTT client. If you want multiple MQTT to share the same credentials, you can turn on the allow multiple connections setting for a Device (not available on Shared plan Hubs).

The Device ID therefore provides a very crude way of authenticating a device, which should not be considered secure. To establish a secure connection, a Device must connect using mutual TLS authentication.

To obtain a secure communication between a Hub and a Device, the MQTT connection may be protected by mutual-TLS.

Any Device can use mutual-TLS to connect, but it is possible to enforce it: this is the Allow/Deny Insecure toggle.

Connection modes

  • Mutual-authentication TLS
    This is the strongest security for a Device. The connection is encrypted with TLS, and during the handshake the Hub will verify the identity of the Device, and the Device the identity of the Hub.

    For that two-way verification to occur, the client must possess the Device’s certificate and private key, which are displayed only once at the creation of the Device (Scaleway does not store them). It must also possess the certificate authority of the Hub, which can be downloaded from the Hub overview.

    If the Device is configured as Deny Insecure connection, it must connect in this mode.
    If the Device is configured as Allow Insecure connection, it may connect in this mode.

  • Server-authentication TLS
    This mode offers an intermediate level of security. The connection is still encrypted, but only the Device verifies the identity of the Hub, not the other way around.
    For that one-way verification to occur, the physical device must only possess the certificate authority of the Hub.

    If the Device is configured as Deny Insecure connection, it cannot connect in this mode.
    If the Device is configured as Allow Insecure connection, it may connect in this mode.

  • Plain
    This mode offers no security. The connection is neither encrypted nor authenticated, and is therefore vulnerable to attacks.

    If the Device is configured as Deny Insecure connection, it cannot connect in this mode.
    If the Device is configured as Allow Insecure connection, it may connect in this mode.

Message filters

Message filters allow you to control which topics a device can publish and subscribe to. There is a publish filter and a subscribe filter, each filter operates independently.

You can either accept topics in the list (and reject others) or reject topics in the list (and accept others). Topics in the lists may contain MQTT wildcards. You can type in as many topics as you want, one topic per line.

Publishing/subscribing to a forbidden topic will get the device disconnected. Subscribing using a wildcard matching a forbidden topic will also get the device disconnected.

Default filter is to Reject no topic, thus accepting all topics (note this is not equivalent to “Accept #” because MQTT ‘#’ wildcard excludes topics starting with ‘$’, as per MQTT specifications).

How to create a Device

Once you have created a Hub, you can add a Device to it.

1 . Click Add Devices in the Devices tab of your Hub.

Add Device IoT Hub

2 . Enter a name for your Device.

Name Device IoT Hub

3 . Choose a security setting for your Device.

 IoT Hub Device Security

4 . Click Add a Device to your Hub.

5 . The credentials of the Device are displayed. You must keep them safe for later as we do not store them ourselves.

 IoT Hub Device Credentials

Important: Make sure to download or copy the device certificate and the device private key. These files are required to establish a connection from the device to your hub. For security reasons these files are not stored on our side and you will not be able to access them later.

6 . Click Close or Add a new Device.

7 . Once the device is added, you may continue to configure IoT Hub Routes to export your data to other Scaleway services.

How to delete a Device

1 . In the IoT Hub section of the Scaleway console, click on the IoT Hub that you want to delete.

2 . Click on the Devices tab to list your devices, then on the device you want to delete.

 IoT Hub Device List

3 . On the Device details page, click Delete Device.

 IoT Hub Device Credentials

3 . Confirm the deletion of the device in the popup.

Important: You will not be able to connect the device any longer once deleted.

It is also possible to delete multiple Devices at once by selecting them in the Device list.

Examples and tutorials

Learn more about Scaleway IoT Hub, discover how to add Devices to the hub, check the IoT Hub metrics or get started in a few clicks with the IoT Hub Kickstarts.

Discover the Cloud That Makes Sense