Skip to content

Instantly share code, notes, and snippets.

@Gringox

Gringox/aws_iot_connecting.md

Last active March 4, 2021 21:16
Show Gist options
  • Save Gringox/45bc9404a373b2f71fd0e2a916884f48 to your computer and use it in GitHub Desktop.
Save Gringox/45bc9404a373b2f71fd0e2a916884f48 to your computer and use it in GitHub Desktop.
Download ZIP
Connecting to AWS IoT
Raw
aws_iot_connecting.md

Connecting to AWS IoT

Environment

  • Create a Cloud9 environment (any region but eu-south-1).
  • Platform: Ubuntu Server 18.04 LTS.
  • Leave everything else as default.

Install mosquitto MQTT client

sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
sudo apt-get update
sudo apt-get install mosquitto-clients

Install jq JSON parser

We will be running a few CLI commands and jq helps to parse the response from them.

sudo apt-get install jq

Create key and certificate to authenticate with AWS IoT and activate the certificate

aws iot create-keys-and-certificate --set-as-active \
    --public-key-outfile public.key \
    --private-key-outfile private.key \
    --certificate-pem-outfile certificate.pem > /tmp/create_cert_and_keys_response

If you want to look at the output from the previous command:

cat /tmp/create_cert_and_keys_response

Saved values from the previous call in env var:

CERTIFICATE_ARN=$(jq -r ".certificateArn" /tmp/create_cert_and_keys_response)
CERTIFICATE_ID=$(jq -r ".certificateId" /tmp/create_cert_and_keys_response)
echo $CERTIFICATE_ARN
echo $CERTIFICATE_ID

Create an IoT policy

POLICY_NAME=policy
aws iot create-policy --policy-name $POLICY_NAME \
    --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action": "iot:*","Resource":"*"}]}'

Note that for testing purposes we are allowing everything.

Attach the policy to your certificate

aws iot attach-policy --policy-name $POLICY_NAME \
    --target $CERTIFICATE_ARN

Get ATS IoT endpoint and save it to an env var

aws iot describe-endpoint --endpoint-type iot:Data-ATS > /tmp/describe_endpoint_response
IOT_ENDPOINT=$(jq -r ".endpointAddress" /tmp/describe_endpoint_response)
echo $IOT_ENDPOINT

We will be using this endpoint to connect to AWS IoT.

Get CA certificate for the ATS endpoint

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

Connect and subscribe to topic "iot/training"

mosquitto_sub \
    --cafile AmazonRootCA1.pem \
    --cert certificate.pem \
    --key private.key \
    -h $IOT_ENDPOINT -p 8883 \
    -q 0 -t iot/training -i sub --tls-version tlsv1.2 -d

Open a new terminal to connect and publish to "iot/training"

IOT_ENDPOINT=$(jq -r ".endpointAddress" /tmp/describe_endpoint_response)
mosquitto_pub \
    --cafile AmazonRootCA1.pem \
    --cert certificate.pem \
    --key private.key \
    -h $IOT_ENDPOINT -p 8883 \
    -q 0 -t iot/training -i pub --tls-version tlsv1.2 \
    -m "{\"date\": \"$(date)\"}" -d

Play a bit

What happens if you publish with QoS 1 or QoS 2?

  • Change the flag "-q 1"
  • Change the flag "-q 2"

Publish on 443? Yes with ALPN:

  • Change the flag "-p 443" and add the flag "--tls-alpn x-amzn-mqtt-ca"

Publish with HTTP, TLS mutual auth and port 8443:

curl --tlsv1.2 \
    --cacert AmazonRootCA1.pem \
    --cert certificate.pem \
    --key private.key \
    --request POST \
    --data "{\"date\": \"$(date)\"}" \
    "https://${IOT_ENDPOINT}:8443/topics/iot/training?qos=0" \
    ; echo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment