AWS IoT functionality is based to a large extent on a publish/subscribe message broker that supports MQTT protocol. The concept is simple: a device can publish messages (for example, sensor readings) to a topic or subscribe to receive messages. AWS Developer Guide has an excellent and detailed explanation of the way message broker operates. AWS IoT main page has a built-in MQTT client that can be used in a web-browser with ease, but the session is lost if the browser window is closed.
It is possible to use one of the freely available MQTT clients to connect to the IoT endpoint. This can be useful in development and debugging of the IoT applications. Here is how to set-up MQTT.fx to work with AWS IoT.
1 Download and install MQTT.fx
The latest version of MQTT.fx client can be downloaded here. At the moment a large variety of installation packages for Windows, MacOS, Linux is available for version 1.1.0
2 Create a connection profile
The nice thing about MQTT.fx is that it allows you to create multiple connection profiles. If you work with several different MQTT brokers, loading saved profiles increases convenience. Let’s first create a new profile for the AWS connection. Either go to Extras > Edit Connection Profiles in the menu or click on the gear icon to open Connection Profiles window.
There should be two default profiles, “local mosquitto” and “M2M Eclipse”. Click on the plus sign (+) all the way on the bottom to create a new profile and give it a name. The Broker Address is your AWS IoT endpoint, usually URL in the form: (iot-address).iot.(region).amazonaws.com Here, region can be, for example, us-east-1; and the iot-address is your personal AWS identifier. AWS IoT uses Broker Port 8883. Unique Client ID can be generated on the spot with the Generate button.
Finally, we need is to provide the SSL/TLS certificates to establish secure connection to the message broker. Click on the SSL/TLS tab, check the Enable SSL/TLS box, and select TLS v. 1.2 as the appropriate protocol. Now, we are going to provide Self-signed certificates (generated by the AWS). Upon selecting this option, several input fields appear, asking us to provide three files: CA, Client Certificate and Client Key.
The root CA file, which serves as proof that we are really communicating with AWS IoT server, can be downloaded here. (More about authentication can be found in the Developer Guide.) The other two files, Client Certificate and Client Key, have to be downloaded when the new certificate is created as the IoT resource.
3 Create new IoT certificate
Creation of certificates was covered in the previous post about the IoT button. When the new certificate is created, the IoT web interface gives you a chance to save keys and certificate files, which are PEM-encoded. Saving the public key is not necessary in this case, we really need only the private key and the certificate.
Going back to the profile set-up window of the MQTT.fx, specify the newly downloaded certificate and private key in the SSL/TSL tab and click OK. The connection parameters are now set up. However, the policy certificates alone does not give a permission to the MQTT client to connect and subscribe/publish to topics in AWS IoT. If you try pressing connect now, the MQTT.fx will display “Connection lost” message. Permissions are granted through specific policies. Therefore, we need to create a policy and attach it to the certificate.
4 Create a policy for the certificate
We need to create a policy that allows the MQTT client to connect to the AWS server, receive data, subscribe and publish to topics. This is accomplished in the web-interface by creating a new policy with the following Actions: iot:Connect, iot:Receive, iot:Publish, iot:Subscribe. We are going to use * as a Resource, which allows selected actions on any resource. Finally, we need to explicitly Allow specify that the listed actions. Once all fields in the Create a policy dialog are filled, click Add statement.
The newly crated policy needs to be attached to the certificate. Click on the certificate and choose Attach a policy in drop-down list of available actions. Enter the Policy Name and click attach. Finally, MQTT.fx set-up is complete.
5 Conncet to AWS IoT and subscribe to a topic
Click on the Connect button in the MQTT.fx now, and the connection indicator will light up green, along with the lock sign indicating secure TSL connection.
You now can subscribe and publish to any topic. For example, to see messages sent by the Amazon IoT button connected previously, subscribe to the “iotbutton/+” topic. The + is a wildcard that matches one level in topic hierarchy, so we are subscribing to all iotbutton messages, even though they might be sent by multiple buttons. Pressing the IoT Dash button now results in the new message in MQTT.fx, displaying the message and previous subscription history.