AWS IoT recently launched in beta for everyone so I started poking around with the AWS IoT Button and the MQTT Broker. At some point I got the idea to connect my existing openHAB Smarthome control system to AWS IoT, to persist the sensor data of my house and/or integrate with the AWS IoT Button. Unfortunately the openHAB MQTT bindings do not support TLS (following the docs) and on the other hand I already had a running Mosquitto MQTT broker. Therefore the idea of bridging messages from one to another broker was born.
This is a short tutorial to setup a bridge between a Mosquitto broker and the AWS IoT broker. There is no need to have openHAB running at all, this is just my use case which I will explain in another blog a bit more. Let's focus on setting up the bridge now:
For any connection to the AWS IoT Broker you need a client, what basically means a set of certificates. The whole process is explained in detail on AWS IoT Quickstart.
First I'm going to create a new device which is used by the bridge to connect to the broker. You should give it self explaining name:
I'm going to list the commands here, but you should really understand what is going on because you have to deal with the certificates later.
# create and activate a certificate:
aws iot create-keys-and-certificate --set-as-active --output text
Save the private and public key as mosquittobroker-private-key.pem and mosquittobroker-public-key.pem
Saving the certificats is easier, because AWS provided ac command for it:
aws iot describe-certificate --certificate-id xxx --output text --query certificateDescription.certificatePem > mosquittobroker-cert.pem
Now your certificate needs a IoT policy (NOT IAM!) which you need to create first.
The policy should have the following setup, save it as policy.json:
To create the policy use the command: aws iot create-policy --policy-name "Mosquittobroker" --policy-document file://./policy.json
To attach the policy to the certificate execute the command:
# aws iot attach-principal-policy --principal "certificate-arn" --policy-name "PubSubToAnyTopic"
aws iot attach-principal-policy --principal "arn:aws:iot:us-east-1:xxx:cert/xxx" --policy-name "Mosquittobroker"
To attach the certificate to your thing execute the command:
aws iot attach-thing-principal --thing-name "Mosquittobroker" --principal "arn:aws:iot:us-east-1:xxx:cert/xxx"
Verify everything is correct with the following command:
mosquitto_sub --cafile ./iot-root-ca.pem --cert ./mosquittobroker-cert.pem --key ./mosquittobroker-private-key.pem -h ".iot.us-east-1.amazonaws.com" -p 8883 -q 1 -d -t topic/test -i clientid1 --insecure
Depending on your system configuration you might need to use --insecure.
If you would like to find out your AWS IoT endpoint, execute:
aws iot describe-endpoint
# Depending on system configuration, you might need deactivate hostname verification
You need to copy the pem files to the correct folder and make them readable for the Mosquitto user.
You need to configure your own topic patterns, see . In this example the direction is set to both, messages will flow in both directions. This is very simple and you need to take care of circular message flow, to solve this you should configure local and remote prefix.
Now you need to restart Mosquitto and watch the logfile for the new bridge connection.
It should looks like this output:
mosquitto version 1.4.4 (build date Thu, 17 Sep 2015 16:11:28 +0100) starting
Config loaded from /etc/mosquitto/mosquitto.conf.
Opening ipv4 listen socket on port 1883.
Opening ipv6 listen socket on port 1883.
Connecting bridge awsiot (xxx.iot.us-east-1.amazonaws.com:8883)