Connecting MicroPython to AWS IoT using Mosquitto MQTT Relay
Create an IAM policy for the bridge to connect to the IoT Endpoint
aws iot create-policy \
--policy-name bridge \
--policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iot:*","Resource": "*"}]}'
{
"policyName": "bridge",
"policyArn": "arn:aws:iot:us-east-1:664214954715:policy/bridge",
"policyDocument": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\": \"iot:*\",\"Resource\": \"*\"}]}",
"policyVersionId": "1"
}
Create certificates and keys for connecting to the IoT MQTT Endpoint
cd /etc/mosquitto/certs/
aws iot create-keys-and-certificate \
--set-as-active \
--certificate-pem-outfile cert.crt \
--private-key-outfile private.key \
--public-key-outfile public.key \
--region us-east-1
{
"certificateArn": "arn:aws:iot:us-east-1:664214954715:cert/b6091e0b3a7dde859197625dd6e2be69c45f39899a9d92a77f3263998072c825",
"certificatePem": "-----BEGIN CERTIFICATE-----\nxxxxx\n-----END CERTIFICATE-----\n",
"keyPair": {
"PublicKey": "-----BEGIN PUBLIC KEY-----\nxxxxx\n-----END PUBLIC KEY-----\n",
"PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nxxxxx\n-----END RSA PRIVATE KEY-----\n"
},
"certificateId": "b6091e0b3a7dde859197625dd6e2be69c45f39899a9d92a77f3263998072c825"
}
List the certificate and copy the ARN in the form of
aws iot list-certificates
Attach the policy to the certificate
ARN_OF_CERTIFICATE="arn:aws:iot:us-east-1:664214954715:cert/b6091e0b3a7dde859197625dd6e2be69c45f39899a9d92a77f3263998072c825"
aws iot attach-principal-policy \
--policy-name bridge \
--principal $ARN_OF_CERTIFICATE
Download the Amazon root CA certificate
wget -O rootCA.pem https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
# OU = Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US
cd /etc/mosquitto/ca_certificates
# RSA 2048 bit key: Amazon Root CA 1
wget https://www.amazontrust.com/repository/AmazonRootCA1.pem
# RSA 4096 bit key: Amazon Root CA 2
wget https://www.amazontrust.com/repository/AmazonRootCA2.pem
# ECC 256 bit key: Amazon Root CA 3
wget https://www.amazontrust.com/repository/AmazonRootCA3.pem
# ECC 384 bit key: Amazon Root CA 4
wget https://www.amazontrust.com/repository/AmazonRootCA4.pem
AWS IoT Endpoint
- Every AWS account has a single unique endpoint.
- The endpoint is specific to each AWS account.
- Each AWS account can only have a single endpoint.
- The endpoint is configured by default and does not require any special effort to provision it.
List the IoT MQTT Endpoint using AWS CLI
aws iot describe-endpoint
{ "endpointAddress": "a1r7veuwhj9ahn.iot.us-east-1.amazonaws.com" }
Configure mosquitto-to-AWS bridge
FILE: /etc/mosquitto/conf.d/bridge.conf
AWS_IOT_ENDPOINT=$(aws iot describe-endpoint | jq '.endpointAddress' | sed 's/"//g')
cat << EOF > /etc/mosquitto/conf.d/bridge.conf
##
## AWS IoT endpoint, use AWS cli: aws iot describe-endpoint
##
connection awsiot
address ${AWS_IOT_ENDPOINT}:8883
# Specifying which topics are bridged
topic awsiot_to_localgateway in 1
topic localgateway_to_awsiot out 1
topic both_directions both 1
##
## Setting protocol version
##
bridge_protocol_version mqttv311
bridge_insecure false
##
## Bridge connection name and MQTT client Id,
## enable the connection automatically
## when the broker starts.
##
cleansession true
clientid bridgeawsiot
start_type automatic
notifications false
log_type all
bridge_cafile /etc/mosquitto/certs/AmazonRootCA1.pem
bridge_certfile /etc/mosquitto/certs/cert.crt
bridge_keyfile /etc/mosquitto/certs/private.key
EOF
docker run -d \
-v /etc/mosquitto/certs:/etc/mosquitto/certs \
-v /etc/mosquitto/conf.d:/etc/mosquitto/conf.d \
-p 1883:1883 \
-p 9001:9001 \
--name mqtt toke/mosquitto