MQTT Security LTE-M
-
I am having a problem figuring out how to secure my mqtt connections. I want my devices to publish to their own uplink topic and check their downlink topic when we want to push some configuration. I am using sims from 1nce with a 500MB limit so stuff needs to be lightweight and RabittMQ + mqtt seems to fit the bill.
Using TLS and user/password is fine but I would like to isolate each device and maintaining a Access Control List on my broker with unique user/pass for each device seems like an error prone and cumbersome solution. Using the same username/pass for all the devices is just a horrible idea for security and traceability.
Been trying to figure out OAuth 2.0 + mqtt but not really finding any good resources.
Had a look at Hashicorp Vault that exposes a nice API to dynamically creating user/pass on rabittmq that looks nice with regards to not spreading secrets to all the devices, tracebility and revoking access if a device is compromised, but I can not figure out how to use Vault with my pycom devices.
1nce has a SIM-as-an-Identity thingy that looks pretty interesting but it looks like it depends on AWS-Iot-Core that I would like to avoid using. Is it possible to use SIM-as-an-Identity to authorize devices to topics without AWS-Iot-Core.
This seems like such a common use case but I am really struggling to find a good solution, any suggestions are much appreatiated.