AWS IoT - Access shadow through Net REST with certificate

0 votes

Trying to learn AWS IoT, I created a few "Things" + a Policy and I am even able to use IoT CLI to list-things or list-policies. I am even able to update the shadow through CLI with update-thingcommand through CLI. But once I try to access a Shadow through REST GET / POST request (through a .Net program or directly like, I receive a

"Missing Authentication Token"

. So I started to use a certificate. Here is part of my code:

string Certificate = "xxxxxxxxx-certificate.crt"; // downloaded from my thing
X509Certificate cert = new X509Certificate(Certificate);
WebRequestHandler handler = new WebRequestHandler();
HttpClient client = new HttpClient(handler);
// url = @"<mything>/shadow";
HttpResponseMessage webResponse = client.GetAsync(url, HttpCompletionOption.ResponseContentRead).Result;

The result is:

StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
x-amzn-RequestId: 25f3c1dc-9ddd-4787-a4cf-cb79dc96748b
connection: Keep-Alive
x-amzn-ErrorType: ForbiddenException:
Date: Tue, 15 Dec 2015 08:53:56 GMT
Content-Length: 91
Content-Type: application/json

Any assistance?

Jul 25, 2018 in IoT (Internet of Things) by Matt
• 2,270 points

1 answer to this question.

0 votes

If you want to publish and/or subscribe to topics, you can take two different approach.

  1. HTTPS calls to API endpoints.
  2. Using any of the supported AWS SDKs of your choice (python, java, .NET etc.,) or AWS CLI

For the "missing authentication token" exception you get is due to unavailability of authentication tokens and amazon specific headers in your request. To make your HTTPS request work, You either use a rest client to add amazon specific headers or write a program.

You should try doing the following steps to make your https requests to work.

For detailed steps, refer


  • Step 1 is to define the verb (GET, POST, etc.)
  • Step 2: Create canonical URI.
  • Step 3: Create the canonical query string.
  • Step 4: Create the canonical headers and signed headers.
  • Step 5: Create the list of signed headers.
  • Step 6: Create payload hash (hash of the request body content)
  • Step 7: Combine elements to create create canonical request

TASK 2: CREATE THE STRING TO SIGN Using SHA256 algorithm, hash the canonical request (using any programming language/tools) and create a string to sign like below

string_to_sign = YourHashingAlgorithm + '\n' + CurrentDateInUTC+ '\n' + credential_scope + '\n' + yourHashedCanonicalRequest

API's to AWS services are uniquely identified by service paths. For IOT it is "iotdata/aws4_request". So your credential_scope in the above 'string_to_sign' should be like

credential_scope = datestamp + '/' + us-west-2+ '/' + iotdata+ '/' + 'aws4_request'


Calculate the hash using the same algorithm used in previous steps.

Refer the above said link for more details.


Here you need to set some of the headers like 'x-amz-date','Authorization', 'SignedHeaders' and 'Signature'. This Signature header will carry the final value of the Step 3.

Note: None of these headers are optional. Every HTTPS request should have all this information for authentication and authorization. Else AWS API will reject it.

You should get a 200 OK response to assure that your request is actually processed.

Coming to your .Net approach, you can try using AWS's .NET SDK and try inspecting the final request. I never tried using x.509 certificates directly in code. I think you are missing headers in your requests.

In cURL it would be something like below

curl "" \ --request GET \ --form "Action=UpdateThing" \ --form "UserName=iam_user" \ --form "CertificateBody=@~/.aws/credentials/sample/cert.pem" \ --form "Version=2010-05-08" \ --form "AUTHPARAMS"

Hope this helps

answered Jul 25, 2018 by anonymous2
• 4,280 points

Related Questions In IoT (Internet of Things)

0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

How to work a AWS IOT Lambda with a devices?

Hey KanaguRaj, use this for reference: ...READ MORE

answered Apr 12, 2019 in IoT (Internet of Things) by Vardhan
• 13,190 points
0 votes
1 answer

Display time in a Windows Core IoT app with a clock!

It is possible, but you should understand ...READ MORE

answered Jul 10, 2018 in IoT (Internet of Things) by nirvana
• 3,150 points
0 votes
1 answer

aws iot describe-endpoint::You must specify a region

This fixed the problem: Browse to then if ...READ MORE

answered Jul 11, 2018 in IoT (Internet of Things) by anonymous2
• 4,280 points
0 votes
1 answer
+1 vote
1 answer

Configuring Raspberry Pi with Windows 10 IoT App using Rest API

You should use HttpClient instead of WebClient. Try ...READ MORE

answered Oct 10, 2018 in IoT (Internet of Things) by anonymous2
• 4,280 points
0 votes
1 answer