[Technical Question] How can we instantiate DeviceClient in the context of an Edge Module?

[chriswue]

We would like to make use of the file upload feature provided by the IoT Hub. Namely automatic management of storage SAS tokens and upload notifications.
Unfortunately you need a DeviceClient instance and that seems to be very hard to correctly instantiate in a edge module context. In particular pretty much all examples you find out there omit the hard part that is "put your connection string here".

Options we have looked into

1. There is a local blob storage module where you can store blobs locally and sync to a storage account. Problems:
   1. You need to configure the blob storage credentials on the module - i.e. account and shared access key. This is something that we want to avoid (think rotating storage account keys)
   2. It automatically writes all data to local disk which is hurting the flash lifetime. Bandwidth is more longer-term reliable than local flash write-lifetime in our scenario
2. Instantiate DeviceClient via connection string - well, hard-coding is not an option and passing it via a module twin prop is just slightly less bad.
3. Make our own module that gets configured with the storage account creds. This solves the data persistence requirement (since we can just upload from a memory stream) but not the credentials problem of the first point above.
4. Send a specially crafted message that triggers a function to pass down a SAS token. This is re-inventing the wheel and seems a waste when the IoT Hub already has everything built-in.
5. Map and parse the iotedge config like done in Question: Cloud to device/module communication with iot-edge #205 but this will most likely fall apart when using DPS.

So being able to instantiate a DeviceClient from the environment without having to hard-code/configure any account secrets seems like a way to make it work but it's not obvious how.

It's really very unfortunate that iotedge devices have seemingly been left hang out to dry while all the require infra to make this work nicely is all there.

[abhipsaMisra]

Thanks for the question. I am going to add a couple of people from the Edge team, since this question could use knowledge of IoT Edge in providing the correct recommendation.
@varunpuranik , @ancaantochi - Could you provide a recommendation on how to initialize a DeviceClient in the context of an Edge Module?

[timtay-microsoft]

@abhipsaMisra should we transfer this issue to the edge Github repo? It seems to be more of a question about edge runtime than about this SDK.

[abhipsaMisra]

Since the issue dealt with the different initialization methods available for device and module clients, I had kept this logged on our repository; but since this issue is completely Edge related, I don't see any issue in transferring it to the Edge repository. If any sdk related work item comes out of this, we can create a new issue on our repository.

[abhipsaMisra]

I don't have the right permissions to transfer this over to the Edge repository, @varunpuranik / @ancaantochi - is this something that you can answer here, or do you feel this would be better addressed on the Edge repo?

[dylanbronson]

Hello,
I have searched for a solution for you, but unfortunately there is no great solution at the moment.

If you are specifically not trying to include the ConnectionString, you can try using the other Create methods for deviceClient. There are IAuthenticationMethod implementations provided in the sdk, and a couple of abstract classes as well.
For example, one of them takes a registration key, which will work with DPS, but it requires you to, again, hardcode the credential. But it gives you a degree of separation.

Otherwise, I think your best bet is either the blob storage module or your #3, creating your own module to get around the persistence issue. You can pass in the secrets via module twin properties or you can store them on your edge device and load them from there.
These are not the perfect solutions you were looking for, but unfortunately we don't have one at this time. There is work being done to integrate AAD with IoTEdge that may help in the future, but it is still in progress.

[chriswue]

Thanks @dylanbronson - could you shed some light on why the ModuleClient can auto-magically figure out how to connect but the DeviceClient can't?
Also in the end I don't really care about the DeviceClient but it also seems quite strange that the blob upload infra can only be used via the DeviceClient and not the ModuleClient even though both connect to the IoT Hub. What's the reason behind this?

[dylanbronson]

Modules on edge uses the IdentityService (which is installed with iotedge) to provision the module. More details on the Identity Service: https://azure.github.io/iot-identity-service/
DeviceClients don't use the IdentityService at all.

IoTHub has not implemented blob upload for modules, so the SDK and Edge can't either. I don't know the why behind this. I could guess that maybe that DeviceClients came first and, since then, there hasn't been an ask for ModuleClients to specifically. I can do some investigation and get back to you if I turn anything up.

[github-actions]

This issue is being marked as stale because it has been open for 30 days with no activity.

[chriswue]

@dylanbronson We plan on using the DPS with X509 certs - can the DPS certificates be used with the DeviceAuthenticationWithX509Certificate to authenticate the DeviceClient?