Google Cloud IoT Core is being retired on August 16, 2023. Contact your Google Cloud account team for more information.

Add RSA256 authentication

Stay organized with collections Save and categorize content based on your preferences.

Add RSA256 authentication to a device.

Explore further

For detailed documentation that includes this code sample, see the following:

Code sample


For more information, see the Cloud IoT Core Go API reference documentation.

// patchDeviceRSA patches a device to use RSA256 X.509 credentials.
func patchDeviceRSA(w io.Writer, projectID string, region string, registryID string, deviceID string, keyPath string) (*cloudiot.Device, error) {
	// Authorize the client using Application Default Credentials.
	// See
	ctx := context.Background()
	httpClient, err := google.DefaultClient(ctx, cloudiot.CloudPlatformScope)
	if err != nil {
		return nil, err
	client, err := cloudiot.New(httpClient)
	if err != nil {
		return nil, err

	keyBytes, err := ioutil.ReadFile(keyPath)
	if err != nil {
		return nil, err

	device := cloudiot.Device{
		Id: deviceID,
		Credentials: []*cloudiot.DeviceCredential{
				PublicKey: &cloudiot.PublicKeyCredential{
					Format: "RSA_X509_PEM",
					Key:    string(keyBytes),

	parent := fmt.Sprintf("projects/%s/locations/%s/registries/%s/devices/%s", projectID, region, registryID, deviceID)
	response, err := client.Projects.Locations.Registries.Devices.
		Patch(parent, &device).UpdateMask("credentials").Do()
	if err != nil {
		return nil, err

	fmt.Fprintln(w, "Successfully patched device with RSA256 X.509 credentials")

	return response, nil


For more information, see the Cloud IoT Core Java API reference documentation.

/** Patch the device to add an RSA256 key for authentication. */
protected static void patchRsa256ForAuth(
    String deviceId,
    String publicKeyFilePath,
    String projectId,
    String cloudRegion,
    String registryName)
    throws GeneralSecurityException, IOException {
  GoogleCredentials credential =
  JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
  HttpRequestInitializer init = new HttpCredentialsAdapter(credential);
  final CloudIot service =
      new CloudIot.Builder(GoogleNetHttpTransport.newTrustedTransport(), jsonFactory, init)

  final String devicePath =
          projectId, cloudRegion, registryName, deviceId);

  PublicKeyCredential publicKeyCredential = new PublicKeyCredential();
  String key = Files.toString(new File(publicKeyFilePath), Charsets.UTF_8);

  DeviceCredential devCredential = new DeviceCredential();

  Device device = new Device();

  Device patchedDevice =
          .patch(devicePath, device)

  System.out.println("Patched device is " + patchedDevice.toPrettyString());


For more information, see the Cloud IoT Core Node.js API reference documentation.

// const cloudRegion = 'us-central1';
// const deviceId = 'my-rsa-device';
// const projectId = 'adjective-noun-123';
// const registryId = 'my-registry';
const iot = require('@google-cloud/iot');
const iotClient = new iot.v1.DeviceManagerClient({
  // optional auth parameters.

async function updateDevice() {
  // Construct request
  const devPath = iotClient.devicePath(

  const device = {
    name: devPath,
    credentials: [
        publicKey: {
          format: 'RSA_X509_PEM',
          key: readFileSync(rsaPublicKeyFile).toString(),

  const [response] = await iotClient.updateDevice({
    device: device,
    updateMask: {paths: ['credentials']},

  console.log('Patched device:', deviceId);
  console.log('Response', response);



For more information, see the Cloud IoT Core PHP API reference documentation.

use Google\Cloud\Iot\V1\DeviceManagerClient;
use Google\Cloud\Iot\V1\Device;
use Google\Cloud\Iot\V1\DeviceCredential;
use Google\Cloud\Iot\V1\PublicKeyCredential;
use Google\Cloud\Iot\V1\PublicKeyFormat;
use Google\Protobuf\FieldMask;

 * Patch the device to add an RSA256 public key to the device.
 * @param string $registryId IOT Device Registry ID
 * @param string $deviceId IOT Device ID
 * @param string $certificateFile Path to RS256 certificate file.
 * @param string $projectId Google Cloud project ID
 * @param string $location (Optional) Google Cloud region
function patch_rsa(
    $location = 'us-central1'
) {
    print('Patch device with RSA256 certificate' . PHP_EOL);

    // Instantiate a client.
    $deviceManager = new DeviceManagerClient();
    $deviceName = $deviceManager->deviceName($projectId, $location, $registryId, $deviceId);

    $publicKey = (new PublicKeyCredential())

    $credential = (new DeviceCredential())

    $device = (new Device())

    $updateMask = (new FieldMask())

    $device = $deviceManager->updateDevice($device, $updateMask);
    printf('Updated device %s' . PHP_EOL, $device->getName());


For more information, see the Cloud IoT Core Python API reference documentation.

# project_id = 'YOUR_PROJECT_ID'
# cloud_region = 'us-central1'
# registry_id = 'your-registry-id'
# device_id = 'your-device-id'
# public_key_file = 'path/to/certificate.pem'
print("Patch device with RSA256 certificate")

client = iot_v1.DeviceManagerClient()
device_path = client.device_path(project_id, cloud_region, registry_id, device_id)

public_key_bytes = ""
with as f:
    public_key_bytes =

key = iot_v1.PublicKeyCredential(
    format=iot_v1.PublicKeyFormat.RSA_X509_PEM, key=public_key_bytes

cred = iot_v1.DeviceCredential(public_key=key)
device = client.get_device(request={"name": device_path}) = b""
device.num_id = 0

mask = gp_field_mask.FieldMask()

return client.update_device(request={"device": device, "update_mask": mask})


For more information, see the Cloud IoT Core Ruby API reference documentation.

# project_id  = "Your Google Cloud project ID"
# location_id = "The Cloud region the registry is located in"
# registry_id = "The registry to create a device in"
# device_id   = "The identifier of the device to patch"
# cert_path   = "The path to the RSA certificate"

require "google/apis/cloudiot_v1"

# Initialize the client and authenticate with the specified scope
Cloudiot   = Google::Apis::CloudiotV1
iot_client =
iot_client.authorization = Google::Auth.get_application_default(

# The resource name of the location associated with the project
parent = "projects/#{project_id}/locations/#{location_id}/registries/#{registry_id}"
path   = "#{parent}/devices/#{device_id}"

credential =
credential.public_key =
credential.public_key.format = "RSA_X509_PEM"
credential.public_key.key = cert_path

device =
device.credentials = [credential]

# Create the device
device = iot_client.patch_project_location_registry_device(
  path, device, update_mask: "credentials"

puts "Device: #{}"
puts "\tBlocked: #{device.blocked}"
puts "\tLast Event Time: #{device.last_event_time}"
puts "\tLast State Time: #{device.last_state_time}"
puts "\tName: #{}"
puts "\tCertificate formats:"
if device.credentials
  device.credentials.each { |cert| puts "\t\t#{cert.public_key.format}" }
  puts "\t\tNo certificates for device"

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.