AWS IoT core and MQTT services: creating AWS thing with certificate and policy – 2

Spread the love

Now we need to connect our device via MQTT; the security system used by Amazon is via certificate generated directly from the web interface. You can connect only one device with the relative certificate, so you must make five certificates if you want to create five devices.

Amazon AWS IoT Core MQTT ceate IoT things with certificate and policy
Amazon AWS IoT Core MQTT create IoT things with certificate and policy

To communicate with the esp8266, esp32, or Arduino devices, it must connect to AWS IoT Core with device credentials. You must also specify the topics it has permission to publish and subscribe to.

Select correct region

It’s essential to prevent errors or select the correct region to develop and host your resources.

  • North America the default region is us-east-1
  • Europe I select eu-west-1

Pay attention if you select a region not supported by your Alexa device when we test on the device; your skill will not work.
To support all devices, you must release lambda in multiple regions.

Retrieve your Account ID

First, you need Account ID, and to do that, open this link Account Settings, get the value Account Id, and put It in the setup.txt file on [Account ID] section.

Retrieve IoT MQTT EndPoint

IoT Core creates an MQTT End-point for you; you can find It on AWS IoT Console and click on left Menu Settings.

https://eu-west-1.console.aws.amazon.com/iot/home?region=eu-west-1#/settings (Europe)
https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/settings (North America)

Get Custom endpoint XXXXXXXXXXXXXX-ats.iot.eu-west-1.amazonaws.com and paste on setup.txt to [IoT MQTT EndPoint] section.

Create new thing

In the project, you have already downloaded, check the folder esp8266_relay_iot_core/certificates.

  1. In the AWS IoT console (IoT Core), choose from the left menù Manage and Things.
    Or directly:
https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/thinghub (North America)
https://eu-west-1.console.aws.amazon.com/iot/home?region=eu-west-1#/thinghub (Europe)
  1. Than click on Create button in the top right, than Register a single AWS IoT thing.
  2. Name the new thing esp8266_relay, and copy this also in the setup.txt file on [Device name] section. Leave the remaining fields set to their defaults. Choose Next.
  3.  Choose Create certificate.
  4. Download inside the folder esp8266_relay_iot_core/certificates: Thing cert/Certificato per questo Oggetto, private key/chiave privata, than click near A CA root per AWS IoT the Download link, and select Amazon Root CA 1.
  5. Choose Activate.
  6. Then click on Attach a policy.
  7. For now here click Done.
IoT Core esp8266 esp32 MQTT Certificates download
IoT Core esp8266 esp32 MQTT Certificates download

Create a policy

  1. Now on AWS IoT Console click to the left menu Secure and on sub-menu click Policies.
https://eu-west-1.console.aws.amazon.com/iot/home?region=eu-west-1#/policyhub (Europe)
https://us-east-1.console.aws.amazon.com/iot/home?region=us-east-1#/policyhub (North America)
  1. Click on Create button on top right.
  2. Set name the policy esp8266_relay_policy. Choose the Advanced tab.
  3. Paste in the following policy template.
IoT Core Create policy to allow connection
IoT Core Create a policy to allow connection

Generic template (check the tag surrounded by [] and substitute the values from setup.txt file).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:[Region]:[Account ID]:client/[Device name]"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[Region]:[Account ID]:topicfilter/relay/sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[Region]:[Account ID]:topic/relay/sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[Region]:[Account ID]:topic/relay/pub"
    }
  ]
}

Europe (look at the region)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:eu-west-1:XXXXXXXXXXXX:client/esp8266_relay"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-1:XXXXXXXXXXXX:topicfilter/relay/sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:eu-west-1:XXXXXXXXXXXX:topic/relay/sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:eu-west-1:XXXXXXXXXXXX:topic/relay/pub"
    }
  ]
}

North America (look at the region)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-1:XXXXXXXXXXXX:client/esp8266_relay"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-1:XXXXXXXXXXXX:topicfilter/relay/sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-1:XXXXXXXXXXXX:topic/relay/sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-1:XXXXXXXXXXXX:topic/relay/pub"
    }
  ]
}
  1. Replace XXXXXXXXXXXX with your Account ID, which can be found in setup.txt.
  2. Choose Create.

Attach a policy to an object

  1. In the AWS IoT console, choose Secure, Certification. Select the one created for your device, you can identify It by check the prefix of certificate file you had previous download, check the certificate and on Actions menu in the top right choose Attach policy.
  2. Choose esp8266_relay_policyAttach.
IoT Core Attach policy to a certificate
IoT Core Attach policy to a certificate

Your AWS IoT device is now configured to have permission to connect to AWS IoT Core. It can also publish to the topic relay/pub and subscribe to the topic relay/sub. For more information on securing devices, see AWS IoT Policies.
Copi relay/pub and relay/sub respectively in [IoT MQTT publish topic] and [IoT MQTT subscribe topic] of our setup.txt file.

Thanks

  1. AWS IoT core and MQTT services: introduction and prerequisite
  2. AWS IoT core and MQTT services: creating AWS thing with certificate and policy
  3. AWS IoT core and MQTT services: connect esp8266 devices
  4. AWS IoT core and MQTT services: connect esp32 devices
  5. AWS IoT core and MQTT services: connect Arduino SAMD (WiFiNINA) devices
  6. AWS IoT core and MQTT services: test with console and MQTT.fx

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *