Connecting to aws iot core with mqtt username and password

serkanersoy
December 6, 2022
215 views
0 votes
2 Answers

The example in the aws tutorial does not show the login method via mqtt with username and password. How can I connect with Custom Authentication using username and password?

I tried with custom authentication but it didn’t work.

I tried to create custom authontication with port 443 without using X.509 certificate. link: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html

I followed the steps in the aws docs. I edited some parts for login with MQTT username and password.
link : https://docs.aws.amazon.com/iot/latest/developerguide/config-custom-auth.html
And this is my Authorizer

This is my Lambda Function (arn addresses are correct)

// A simple Lambda function for an authorizer.

exports.handler = function(event, context, callback) { 
   var uname = event.protocolData.mqtt.username;
    var pwd = event.protocolData.mqtt.password;
    var buff = new Buffer(pwd, 'base64');
    var passwd = buff.toString('ascii');
    switch (passwd) { 
        case 'test': 
            callback(null, generateAuthResponse(passwd, 'Allow')); 
        default: 
            callback(null, generateAuthResponse(passwd, 'Deny'));  
    }
};

// Helper function to generate the authorization response.
var generateAuthResponse = function(token, effect) { 
    var authResponse = {}; 
    authResponse.isAuthenticated = true; 
    authResponse.principalId = 'TEST123'; 
    
    var policyDocument = {}; 
    policyDocument.Version = '2012-10-17'; 
    policyDocument.Statement = []; 
    var publishStatement = {}; 
    var connectStatement = {};
    connectStatement.Action = ["iot:Connect"];
    connectStatement.Effect = effect;
    connectStatement.Resource = ["arn:aws:iot:eu-west-1:<myarn>:client/myClientName"];
    publishStatement.Action = ["iot:Publish"]; 
    publishStatement.Effect = effect; 
    publishStatement.Resource = ["arn:aws:iot:eu-west-1:<myarn>:topic/telemetry/myClientName"]; 
    policyDocument.Statement[0] = connectStatement;
    policyDocument.Statement[1] = publishStatement; 
    authResponse.policyDocuments = [policyDocument]; 
    authResponse.disconnectAfterInSeconds = 3600; 
    authResponse.refreshAfterInSeconds = 300;
    
    return authResponse; 
}

Everything seems fine when I test it using the aws cli.
I am using node-red for testing. But I can’t connect.
I also can’t connect when I try with mosquitto.

Answers

- doncoleman
- December 7, 2022 at 12:59 am
- 0 votes
0
AWS IoT Core really wants you to use a client certificate to connect to the MQTT broker.

Alternately you can have your server generate a signature version 4 url using your access key id and secret access key for an authorized user. I don’t like this way, but it works in a pinch. See https://glitch.com/edit/#!/itp-arduino-workshop?path=AWS-IoT-ws-url.js for one way to do this.

A better way is to setup Cognito to allow access to IoT Core. The AWS Innovator Island tutorial demonstrates how to do this. See the backend section of part 2 for more details.

Login or Signup to reply.

- masaino
- December 10, 2022 at 10:30 am
- 0 votes
0
I made it work the sample authorizer code with the following client. No encoding is required for the password.
```
mosquitto_sub 
--cafile AmazonRootCA1.pem 
-h <your-endpoint>-ats.iot.<region>.amazonaws.com 
-p 443 
-u 'test?x-amz-customauthorizer-name=AuthorizerName' 
-P 'test' 
-t 'notification' 
-i browser 
--tls-alpn mqtt 
-d
Client browser sending CONNECT
Client browser received CONNACK (0)
Client browser sending SUBSCRIBE (Mid: 1, Topic: notification, QoS: 0, Options: 0x00)
Client browser received SUBACK
Subscribed (mid: 1): 0
```
Do you see any error in your logs?
- aws logs tail --follow AWSIotLogsV2
- aws logs tail --follow /aws/lambda/AuthorizerFunctionName
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.