Connecting MicroPython to AWS IoT using Mosquitto MQTT Relay

Create an IAM policy for the bridge to connect to the IoT Endpoint

aws iot create-policy \
  --policy-name bridge \
  --policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iot:*","Resource": "*"}]}'
  "policyName": "bridge",
  "policyArn":  "arn:aws:iot:us-east-1:664214954715:policy/bridge",
  "policyDocument": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\": \"iot:*\",\"Resource\": \"*\"}]}",
  "policyVersionId": "1"

Create certificates and keys for connecting to the IoT MQTT Endpoint

cd /etc/mosquitto/certs/

aws iot create-keys-and-certificate \
  --set-as-active \
  --certificate-pem-outfile cert.crt \
  --private-key-outfile     private.key \
  --public-key-outfile      public.key \
  --region us-east-1
    "certificateArn": "arn:aws:iot:us-east-1:664214954715:cert/b6091e0b3a7dde859197625dd6e2be69c45f39899a9d92a77f3263998072c825",
    "certificatePem": "-----BEGIN CERTIFICATE-----\nxxxxx\n-----END CERTIFICATE-----\n",
    "keyPair": {
        "PublicKey": "-----BEGIN PUBLIC KEY-----\nxxxxx\n-----END PUBLIC KEY-----\n",
        "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nxxxxx\n-----END RSA PRIVATE KEY-----\n"
    "certificateId": "b6091e0b3a7dde859197625dd6e2be69c45f39899a9d92a77f3263998072c825"

List the certificate and copy the ARN in the form of

aws iot list-certificates

Attach the policy to the certificate


aws iot attach-principal-policy \
  --policy-name bridge \
  --principal $ARN_OF_CERTIFICATE

Download the Amazon root CA certificate

wget -O rootCA.pem 

# OU = Amazon Web Services Inc. L=Seattle ST=Washington C=US

cd /etc/mosquitto/ca_certificates

# RSA 2048 bit key: Amazon Root CA 1

# RSA 4096 bit key: Amazon Root CA 2

# ECC 256 bit key: Amazon Root CA 3

# ECC 384 bit key: Amazon Root CA 4

AWS IoT Endpoint

  • Every AWS account has a single unique endpoint.
  • The endpoint is specific to each AWS account.
  • Each AWS account can only have a single endpoint.
  • The endpoint is configured by default and does not require any special effort to provision it.

List the IoT MQTT Endpoint using AWS CLI

aws iot describe-endpoint
{ "endpointAddress": "" }

Configure mosquitto-to-AWS bridge

FILE: /etc/mosquitto/conf.d/bridge.conf

AWS_IOT_ENDPOINT=$(aws iot describe-endpoint | jq '.endpointAddress'  | sed 's/"//g')

cat << EOF > /etc/mosquitto/conf.d/bridge.conf
## AWS IoT endpoint, use AWS cli: aws iot describe-endpoint
connection awsiot
address ${AWS_IOT_ENDPOINT}:8883

# Specifying which topics are bridged
topic awsiot_to_localgateway in   1
topic localgateway_to_awsiot out  1
topic both_directions        both 1

## Setting protocol version
bridge_protocol_version mqttv311
bridge_insecure         false

## Bridge connection name and MQTT client Id,
##        enable the connection automatically
##        when the broker starts.
cleansession  true
clientid      bridgeawsiot
start_type    automatic
notifications false
log_type      all

bridge_cafile   /etc/mosquitto/certs/AmazonRootCA1.pem
bridge_certfile /etc/mosquitto/certs/cert.crt
bridge_keyfile  /etc/mosquitto/certs/private.key
docker run -d \
  -v /etc/mosquitto/certs:/etc/mosquitto/certs \
  -v /etc/mosquitto/conf.d:/etc/mosquitto/conf.d \
  -p 1883:1883 \
  -p 9001:9001 \
  --name mqtt toke/mosquitto
categories: micropython | esp8266 | nodemcu | aws-iot | mqtt | mosquitto |