Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Authenticating clients while offline

PDF
RSS
Focus mode
Authenticating clients while offline - AWS IoT Greengrass
Storing client credentials

With offline authentication you can configure your AWS IoT Greengrass Core device so that client devices can connect to a core device, even when the core device isn't connected to the cloud. When you use offline authentication, your Greengrass devices can continue to work in a partially offline environment.

To use offline authentication for a client device with a connection to the cloud, you need the following:

  • An AWS IoT Greengrass Core device with the Client device auth component deployed. You must use version 2.3.0 or greater for offline authentication.

  • A cloud connection for the core device during the initial connection of client devices.

Storing client credentials

When a client device connects to a core device for the first time, the core device calls the AWS IoT Greengrass service. When called, Greengrass validates the client device's registration as an AWS IoT thing. It also validates that the device has a valid certificate. The core device then stores this information locally.

The next time that the device connects, the Greengrass core device attempts to validate the client device with the AWS IoT Greengrass service. If it can't connect to AWS IoT Greengrass, the core device uses its locally stored device information to validate the client device.

You can configure the length of time that the Greengrass core device stores credentials. You can set the timeout from one minute to 2,147,483,647 minutes by setting the clientDeviceTrustDurationMinutes configuration option in the client device auth component configuration. The default is one minute, which effectively turns off offline authentication. When you set this timeout, we recommend that you consider your security needs. You should also consider how long you expect core devices to run while disconnected from the cloud.

The core device updates its credential storage at three times:

  1. When a device connects to the core device for the first time.

  2. If the core device is connected to the cloud, when a client device reconnects to the core device.

  3. If the core device is connected to the cloud, once a day to refresh the entire credential store.

When the Greengrass core device refreshes its credential store, it uses the ListClientDevicesAssociatedWithCoreDevice operation. Greengrass only refreshes the devices returned by this operation. To associate a client device with a core device, see Associate client devices.

To use the ListClientDevicesAssociatedWithCoreDevice operation, you must add permission for the operation to the AWS Identity and Access Management (IAM) role associated with the AWS account that runs AWS IoT Greengrass. For more information, see Authorize core devices to interact with AWS services.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.