SAS Token Handling for Custom Module Connectivity in Azure IoT Edge

Kazuki Yamamoto 20 Reputation points

I am connecting a custom module to IoTHub using Azure IoT Edge.

  • The authentication method for the IoT Edge device is "Symmetric Key."
  • The package used for connecting to IoTHub is the azure-iot-sdk-c (
  • Connection is established using the "IoTHubModuleClient_CreateFromEnvironment" function from the azure-iot-sdk-c.
  • MQTT is the chosen protocol.
  • Versions of IoT Edge, edgeHub, and edgeAgent are 1.4.16.

When connecting the custom module to IoTHub and transmitting telemetry, my understanding is as follows:

(1) The custom module generates an SAS token (generated during the execution of the "IoTHubModuleClient_CreateFromEnvironment" function in azure-iot-sdk-c).

(2) The custom module uses the SAS token generated in (1) to connect to edgeHub and passes the SAS token to edgeHub.

(3) The custom module uses the SAS token generated in (1) to transmit telemetry to edgeHub.

(4) edgeHub, using the SAS token passed in (2), transmits telemetry to IoTHub.

I want to confirm whether the SAS token between the custom module and edgeHub is the same as the SAS token between edgeHub and IoTHub or if they are different.

Thank you.

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
493 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sander van de Velde 25,416 Reputation points MVP

    Hello @Kazuki Yamamoto,

    welcome to this moderated Azure community forum.

    The Azure IoT Edge logic is open source and available on GitHub.

    In general, custom Azure IoT edge modules do not connect to he Azure IoT Hub directly.

    The ModuleClient connects to the Microsoft module named EdgeHub (via a Docker network).

    This EdgeHub module represents the IoThub. For example, if the edge is diconnected from the cloud, the custom module can still ask for its ModuleTwin settings because the EdheHub stores the last copy gotten from the IoTHub.

    The communication between (custom) modules and the EdgeHub is done via the routes, seen in the deployment manifest.

    This communication is secured via TLS using a separate certificate.

    Check out this Azure IoT Edge security related documentation for more details.

    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful