Using Azure Iot SDK with Azure Identity Service

Abby Greentree 126 Reputation points
2023-01-12T23:38:58.0566667+00:00

Background: I am using the Azure IoT Hub SDK for Python to establish a device connection to IoT Hub. The device authentication method is self-signed x509 certificates. On the device side, I am using Azure Identity Service to manage and rotate device certificates.

Question: Is there a way to utilize Azure Identity Service APIs to provide x509 credentials for use with the IoTHubDeviceClient create_from_x509_certificate method?

Additional Information:

  • My understanding from reviewing the AIS API Documentation is that the Azure Identity Service provides and endpoint to retrieve the certificate, but not key information when using x509 authentication for the device identity.
  • It is possible to access the certificate and key from the file system, but I am looking for a more graceful implementation that allows my device client to leverage the APIs exposed by AIS to authenticate it's connection with IoT Hub.

Thanks in advance for any assistance.

Azure IoT SDK
Azure IoT SDK
An Azure software development kit that facilitates building applications that connect to Azure IoT services.
207 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. QuantumCache 20,031 Reputation points
    2023-03-09T23:51:37.8866667+00:00

    Hi @Abby Greentree,

    You are correct that the create_from_x509_certificate method of the IoTHubDeviceClient class expects an azure.iot.device.x509.X509 object, not a symmetric key.

    If you want to use the x509 authentication method for the device identity, you will need to obtain the device certificate and private key in a format that can be used to create an azure.iot.device.x509.X509 object.

    One way to do this is to use the Azure Identity Service APIs to obtain the certificate and private key in PEM format, which can be used to create an azure.iot.device.x509.X509 object.

    Here is an example of how to do this:

    from azure.identity import DefaultAzureCredential

    from azure.keyvault.certificates import CertificateClient

    from azure.iot.device.x509 import X509

    # Retrieve the device certificate and private key from the certificate store

    credential = DefaultAzureCredential()

    certificate_client = CertificateClient("<your-key-vault-url>", credential)

    certificate = certificate_client.get_certificate("<your-certificate-name>")

    private_key = certificate_client.get_certificate_private_key("<your-certificate-name>")

    # Convert the certificate and private key to PEM format

    certificate_pem = certificate.cer.encode().decode()

    private_key_pem = private_key.export_key().decode()

    # Create an instance of X509 with the certificate and private key in PEM format

    x509 = X509(cert=certificate_pem, key=private_key_pem)

    # Create an instance of IoTHubDeviceClient with the connection string for your IoT Hub and X509Authentication instance

    connection_string = "<your-iothub-connection-string>"

    device_client = IoTHubDeviceClient.create_from_connection_string(connection_string, x509=x509)

    In this example, we use the Azure Key Vault Python library to retrieve the device certificate and private key from the certificate store, but you could use any method you prefer to retrieve these values.

    Note that the get_certificate and get_certificate_private_key methods of the CertificateClient class return cryptography objects, which need to be converted to PEM format using the encode and export_key methods, respectively.

    I hope this helps!

    We are more than happy to help you on this.

    Please comment in the below section for further help!