This guide will walk you though integrating devices that support unencrypted MQTT communications to AWS IoT Core for rapid onboarding with minimal configuration.
Before you begin, you must generate a CA certificate. This can be done using multiple tools, but this guide will use openssl to generate the CA certificate.
The example below is good for most use cases, but you may wish to consult with your IT security department for recommended certificate practices for your organization.
# generate a new private key in PKCS#8 format.
openssl genpkey -algorithm RSA -out aws_iot_ca.key8.pem
# convert the private key from PKCS#8 to PKCS#1 format.
openssl pkey -in aws_iot_ca.key8.pem -traditional -out aws_iot_ca.key1.pem
# generate a certificate based on the private key good for 10 years.
openssl req -x509 -new -key aws_iot_ca.key8.pem -out aws_iot_ca.cert.pem -days 3650
Save the three PEM files for use later in the process.
In general, to allow bridging of MQTT connections to AWS IoT Core, we will need to create a just-in-time provisioning template in your AWS IoT Core. This guide is assuming you have a "new" IoT Core with no previous configuration, and may need to be adjusted if you already have some definitions in your IoT Core configuration.
AWS Account ID
, this can be found by clicking on your username in the top right of the AWS Console, the Account ID is a 12 digit number with no hyphens.AWS Region
name that you wish to use for AWS IoT Core, this can be found by clicking the dropdown to the left of your username, it will be in the format of us-east-1
or similar.AWS IoT Core Endpoint
, this can be found by navigating to IoT Core
in the AWS Console, then clicking on Settings
. You want the Device data endpoint
that will be in the form of: annxsw26vrtr-ats.iot.us-east-2.amazonaws.com
We need to import the CA certificate we created to allow for devices to automatically connect and be authenticated.
Security -> Certificate authorities
in your AWS Console.Register CA certificate
to register a new certificate.Choose CA certificate
and select the file we previously created aws_iot_ca.cert.pem
and upload it.CA status
to Active
.Automatic certificate registration
to On
.Register
to register the new certificate authority.We must create a security policy to allow devices to connect and subscribe to topics. If you already have a security policy defined, you can skip this step. For production use cases, you will most likely have a pre-defined security policy.
This is a sample policy that allows devices to publish and subscribe to any topics with a prefix of
iotb
, policies will need to be customized for your AWS IoT Core use cases.
2.3.1 - Navigate to Security -> Policies
in your AWS Console.
POLICY OVERVIEW
2.3.2 - Click Create policy
to create a new policy.
2.3.3 - Enter information for the policy:
JSON
button to switch to the JSON builder for the Policy document.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive",
"iot:PublishRetain"
],
"Resource": [
"arn:aws:iot:<aws-region>:<aws-account-id>:topic/iotb/*",
"arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/iotb/*",
"arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:client/*"
}
]
}
aws-region
and aws-account-id
in the resources with your region and account id saved above.Create
to create your policy.The last step to configure AWS IoT Core is to create a Provisioning Template
, which will enable devices to automatically connect to your AWS IoT Core.
Connect many devices -> Connect many devices
in the AWS Console.Create provisioning template
to create a new template.Provisioning scenario
to Provisioning devices with unique certificates (JITP)
.Next
.Provisioning template status
to Active
.Provisioning template name
to anything you like, such as IoT_Bridge_Provisioning_Template
.Create new role
to create a new role for the provisioning template.
Role name
to anything you like, such as IoT_Bridge_Provisioning_Role
.Create
to create the new role.Provisioning role
field.CA certificate
to the certificate you uploaded above, you should only have one certificate to select from.Automatic certificate registration
to On
.Next
.Automatically create a thing resource when provisioning a device
.Next
.Device Policy
to attach to devices that are created through the template.Next
.Create template
.The solution template defines all of the resources in your IoT Bridge to enable the MQTT to AWS IoT Core connections.
3.1.1 - Click Solution Templates at the bottom of any page.
3.1.2 - Find the MQTT to AWS IoT Core template and click Import.
3.1.3 - Fill in the template as follows:
AWS IoT Core Endpoint
: The MQTT endpoint for your AWS IoT Core service.Activity timeout
: The amount of time to keep connections to AWS IoT Core open, idle connections will be closed after this interval.AWS IoT Core CA Certificate
: The CA certificate created above.AWS IoT Core CA Private Key
: The CA private key created above.MQTT Registration Username
and MQTT Registration Password
are used to authenticate unencrypted MQTT to the IoT Bridge and establish the connection to the AWS instance. Record these values for later.3.1.4 - Check Start triggers so the triggers will automatically start upon import.
3.1.5 - Click Import.
3.1.6 Verify the import was successful:
Now that everything has been imported, you can connect your first MQTT client.
There are a variety of clients that you can use, for all of them, the parameters will be the same:
If you did not save the username and password, they can be retrieved by navigating to
Services
and editing theProxy MQTT
service and checking the auto-registration tab.
If you setup any subscriptions or publishes in your client, ensure they are valid for the
Security Policy
you defined above. If you subscribe or publish to topics not authorized in your policy your client will be immediately disconnected.
You should see your MQTT client connected without errors.
With the device connected, you should now see it connected in AWS IoT Core.
You can verify that your device was properly created by navigating to the things view in the AWS Console.
IoT Core
in the AWS Console.Add devices -> things
in IoT Core.We will use the built in test client to verify data flow in AWS IoT Core.
Test -> MQTT test client
in IoT Core.Subscribe to a topic
, set the topic filter to iotb/#
(if using the recommended security policy), or another topic that matches your security policy.Subscribe
.iotb/test
with any value you wish.MQTT test client
from the previous step. You should see the message under subscriptions.iotb/device
.MQTT test client
from the previous step, click Publish to a topic
.Topic Name
to iotb/device
.Publish
.You can now connect multiple devices using the same shared auto-onboarding credentials. Each client will be allocated a connection based on its MQTT Client ID.