AWS IoT from Mbed OS device

This page introduces an example program connecting to AWS IoT from a Mbed device with MQTT over TLS.

Project Page is here: https://os.mbed.com/users/coisme/code/Mbed-to-AWS-IoT/

Program is tested on these platforms:

Prepare AWS IoT

Go to the IoT Core.

/media/uploads/coisme/001.png

Create Policy

First, create a policy. From the left side menu, select Secure > Policies. Then, click Create button.

/media/uploads/coisme/002.png

Input Name anything you like. Then Click Advanced Mode.

/media/uploads/coisme/003.png

Replace the text field with the texts below. Then click the Create button.

/media/uploads/coisme/004.png

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "*"
    }
  ]
}

Add an IoT device

Next, adds an IoT device, called a thing. From the left menu, click Manage > Things. Then click Create button at the right top corner.

/media/uploads/coisme/005.png

Click Create a single thing button.

/media/uploads/coisme/006.png

Input Name anything you like. Then click Next button at the right bottom corner.

/media/uploads/coisme/007.png

Click Create certificate button.

/media/uploads/coisme/008.png

Certificates are created.

/media/uploads/coisme/009.png

Download these 3 files:

  1. A certificate for this thing (*.cert.pem)
  2. A private key (*.private.key)
  3. Root CA for AWS IoT (Save as rootCA.pem) - Choose RSA 2048 bit key: Amazon Root CA 1

Save them in your local machine. Don't share the private key file (*.private.key) with anyone. In addition, don't forget to click Activate button to enable this certificate. Then, click Attach a policy button.

Choose the policy which made in the previous section and click Register Thing button.

/media/uploads/coisme/010.png

That's it!

Build Project

Let's build the example project.

Import

First, you need to import the example project into your workspace. Visit the page below and click Import into Compiler. Then the program will be imported into your online compiler.

https://os.mbed.com/users/coisme/code/Mbed-to-AWS-IoT/

/media/uploads/coisme/011.png

Modify Parameters

Parameters needs to be set are in MQTT_server_setting.h.

MQTT_server_setting.h

#ifndef __MQTT_SERVER_SETTING_H__
#define __MQTT_SERVER_SETTING_H__

const char MQTT_SERVER_HOST_NAME[] = "<< REPLACE_HERE >>";
const char MQTT_CLIENT_ID[] = "<< REPLACE_HERE >>";
const char MQTT_USERNAME[] = "<< REPLACE_HERE >>";
const char MQTT_PASSWORD[] = "<< REPLACE_HERE >>";
const char MQTT_TOPIC_PUB[] = "<< REPLACE_HERE >>";
const char MQTT_TOPIC_SUB[] = "<< REPLACE_HERE >>";


const int MQTT_SERVER_PORT = 8883;

/*
 * Root CA certificate here in PEM format.
 * "-----BEGIN CERTIFICATE-----\n"
 * ...
 * "-----END CERTIFICATE-----\n";
 */
const char SSL_CA_PEM[] = NULL;

/*
 * (optional) Client certificate here in PEM format.
 * Set NULL if you don't use.
 * "-----BEGIN CERTIFICATE-----\n"
 * ...
 * "-----END CERTIFICATE-----\n";
 */
const char* SSL_CLIENT_CERT_PEM = NULL;


/*
 * (optional) Client private key here in PEM format.
 * Set NULL if you don't use.
 * "-----BEGIN RSA PRIVATE KEY-----\n"
 * ...
 * "-----END RSA PRIVATE KEY-----\n";
 */
const char* SSL_CLIENT_PRIVATE_KEY_PEM = NULL;

#endif /* __MQTT_SERVER_SETTING_H__ */

Endpoint

Replace the content of MQTT_SERVER_HOST_NAME with the Endpoint taken from AWS IoT. You can find your endpoint from Settings in the left menu.

/media/uploads/coisme/013.png

Root CA

Replace the content of SSL_CA_PEM with the content in rootCA.pem downloaded above. You need to add " at the head of each line and \n" at the end of each line. Your SSL_CA_PEM become look like this:

const char SSL_CA_PEM[] =
"-----BEGIN CERTIFICATE-----\n"
"MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB\n"
"yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\n"
"ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\n"
"U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\n"
"ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\n"
"aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL\n"
"MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\n"
"ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln\n"
"biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp\n"
"U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y\n"
"aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1\n"
"nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex\n"
"t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz\n"
"SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG\n"
"BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+\n"
"rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/\n"
"NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E\n"
"BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH\n"
"BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy\n"
"aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv\n"
"MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE\n"
"p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y\n"
"5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK\n"
"WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ\n"
"4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N\n"
"hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq\n"
"-----END CERTIFICATE-----\n";

Client Certificate

Replace the content of SSL_CLIENT_CERT_PEM with the content in *.cert.pem download above. You need to add " at the head of each line and \n" at the end of each line. The content in the file should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

Client Private Key

Replace the content of SSL_CLIENT_PRIVATE_KEY_PEM with the content in *.private.pem download above. You need to add " at the head of each line and \n" at the end of each line. The content in the file should start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

Do not share the private key information with anyone.

Client ID, Username, and Password

AWS IoT Core doesn't care about the contents of MQTT_CLIENT_ID, MQTT_USERNAME, and MQTT_PASSWORD. You can set any string follows MQTT naming convention.

Topic Name

You can set a topic name for publish and subscribe. MQTT_TOPIC_PUB is for publishing and MQTT_TOPIC_SUB is for subscribing. You can set any name follows MQTT naming convention.

Wi-Fi setting (for Wi-Fi boards)

If you use a Wi-Fi, set the security mode and SSID and Passoword in mbed_app.json.

            "nsapi.default-wifi-security": "WPA_WPA2",
            "nsapi.default-wifi-ssid": "\"SSID\"",
            "nsapi.default-wifi-password": "\"PASSWORD\""

Build .bin

After settings are finished, click Compile button. You'll get Mbed-to-AWS-IoT_K64F.bin (If you changed project name or target board, the file name may be different.)

Launch Application

Copy the .bin file to your target board. To launch the application, push the reset button on your board.


15 comments on AWS IoT from Mbed OS device:

28 Jun 2018

Hi Can I use the same to DISCO_L475VG_IOT01A IoT NODE board which is having a • Wi-Fi ® module Inventek ISM43362-M3G-L44.

I am asking because i am getting a compilation ERROR for the , please help if you know the alternative. I have posted a question https://os.mbed.com/questions/81674/MQTT-STM32L475-IoT-Node-Compilation-ERRO/

06 Jul 2018

Hi Osamu, I am trying to connect up a LPC1768 (mounted on mbed application board) to AWS IoT services. I followed the instructions in this page and applied the modifications you mentioned in (https://os.mbed.com/questions/81627/How-to-connect-LPC1768-with-AWS-IOT-usin/). The program successfully compiled but when trying to connect to AWS it gives the following error:

Connecting to host a1kh44b0w41iw7.iot.eu-west-1.amazonaws.com:443 ... ERROR: rc from TCP connect is -32512

Any idea where the problem could be?

I also attached the screenshot of the serial output. /media/uploads/eodanesh/screen_shot_2018-07-06_at_23.25.30.png

15 Sep 2018

Ehsan Danesh wrote:

Hi Osamu, I am trying to connect up a LPC1768 (mounted on mbed application board) to AWS IoT services. I followed the instructions in this page and applied the modifications you mentioned in (https://os.mbed.com/questions/81627/How-to-connect-LPC1768-with-AWS-IOT-usin/). The program successfully compiled but when trying to connect to AWS it gives the following error:

Connecting to host a1kh44b0w41iw7.iot.eu-west-1.amazonaws.com:443 ... ERROR: rc from TCP connect is -32512

Any idea where the problem could be?

I also attached the screenshot of the serial output. /media/uploads/eodanesh/screen_shot_2018-07-06_at_23.25.30.png

Hi - I get the very same error. Did you find a fix ?

16 Sep 2018

Hi, sorry that I missed your comment so long time...

The value -32512 is -0x7F00 in hex, which is error code of memory allocation in TLS library. https://github.com/ARMmbed/mbed-os/blob/0cd43157d18b4c7e6ab751e8a3c851cf136323b3/features/mbedtls/inc/mbedtls/ssl.h#L100

You may need to tweak memory setting or move to another memory richer target board.

Ehsan Danesh wrote:

Hi Osamu, I am trying to connect up a LPC1768 (mounted on mbed application board) to AWS IoT services. I followed the instructions in this page and applied the modifications you mentioned in (https://os.mbed.com/questions/81627/How-to-connect-LPC1768-with-AWS-IOT-usin/). The program successfully compiled but when trying to connect to AWS it gives the following error:

Connecting to host a1kh44b0w41iw7.iot.eu-west-1.amazonaws.com:443 ... ERROR: rc from TCP connect is -32512

Any idea where the problem could be?

I also attached the screenshot of the serial output. /media/uploads/eodanesh/screen_shot_2018-07-06_at_23.25.30.png

16 Sep 2018

Hi, please see my response to Ehsan. LPC1786 has 32KB RAM but it seems too small to handle TLS feature...

Andres Meira wrote:

Ehsan Danesh wrote:

Hi Osamu, I am trying to connect up a LPC1768 (mounted on mbed application board) to AWS IoT services. I followed the instructions in this page and applied the modifications you mentioned in (https://os.mbed.com/questions/81627/How-to-connect-LPC1768-with-AWS-IOT-usin/). The program successfully compiled but when trying to connect to AWS it gives the following error:

Connecting to host a1kh44b0w41iw7.iot.eu-west-1.amazonaws.com:443 ... ERROR: rc from TCP connect is -32512

Any idea where the problem could be?

I also attached the screenshot of the serial output. /media/uploads/eodanesh/screen_shot_2018-07-06_at_23.25.30.png

Hi - I get the very same error. Did you find a fix ?

20 Oct 2018

Hi Osamu,

I follow your tutorial using the STM32 (DISCO-L475-IOT01A) with a little code changes for the WiFi using ST's demo lib to get the proper derived NetworkInterface instance. I did not touch the TLSSocket for it, so it's still the same that you used. However, I am now having issues with the certificate:

[INFO][TLSW]: mbedtls_ssl_conf_ca_chain()
[INFO][TLSW]: mbedtls_ssl_config_defaults()
[INFO][TLSW]: mbedtls_ssl_conf_authmode()
[INFO][TLSW]: mbedtls_ssl_conf_rng()
[INFO][TLSW]: mbedtls_ssl_setup()
[INFO][TLSW]: Starting TLS handshake with XXXXXXXXXXXXXX-ats.iot.eu-central-1.amazonaws.com
[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Do you have any idea on how to solve that?

Many thanks in advance! (Great tutorial BTW!)

Jan

21 Oct 2018

Jan Kammerath wrote:

Hi Osamu,

I follow your tutorial using the STM32 (DISCO-L475-IOT01A) with a little code changes for the WiFi using ST's demo lib to get the proper derived NetworkInterface instance. I did not touch the TLSSocket for it, so it's still the same that you used. However, I am now having issues with the certificate:

[INFO][TLSW]: mbedtls_ssl_conf_ca_chain()
[INFO][TLSW]: mbedtls_ssl_config_defaults()
[INFO][TLSW]: mbedtls_ssl_conf_authmode()
[INFO][TLSW]: mbedtls_ssl_conf_rng()
[INFO][TLSW]: mbedtls_ssl_setup()
[INFO][TLSW]: Starting TLS handshake with XXXXXXXXXXXXXX-ats.iot.eu-central-1.amazonaws.com
[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Do you have any idea on how to solve that?

Many thanks in advance! (Great tutorial BTW!)

Jan

Found the solution myself: updated the STM32L4's firmware, updated all libs (incl. TLSSocket) and used Amazon Root CA1 instead of the Verisign Legacy one in your example.

27 Nov 2018

Hi Jan,

Soooory, I didn't notice your post. I'm looking for the option to enable email notification for posts on this page... and thank you for sharing your experience about Root CA. I'll add that information in this note.

Osamu

Jan Kammerath wrote:

Jan Kammerath wrote:

Hi Osamu,

I follow your tutorial using the STM32 (DISCO-L475-IOT01A) with a little code changes for the WiFi using ST's demo lib to get the proper derived NetworkInterface instance. I did not touch the TLSSocket for it, so it's still the same that you used. However, I am now having issues with the certificate:

[INFO][TLSW]: mbedtls_ssl_conf_ca_chain()
[INFO][TLSW]: mbedtls_ssl_config_defaults()
[INFO][TLSW]: mbedtls_ssl_conf_authmode()
[INFO][TLSW]: mbedtls_ssl_conf_rng()
[INFO][TLSW]: mbedtls_ssl_setup()
[INFO][TLSW]: Starting TLS handshake with XXXXXXXXXXXXXX-ats.iot.eu-central-1.amazonaws.com
[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Do you have any idea on how to solve that?

Many thanks in advance! (Great tutorial BTW!)

Jan

Found the solution myself: updated the STM32L4's firmware, updated all libs (incl. TLSSocket) and used Amazon Root CA1 instead of the Verisign Legacy one in your example.

18 Dec 2018

Hello,

I am using DISCO_L475VG_IOT01A. I have tried this and it all goes well until the part Connecting to host << ....> >>: 8883

I reach that on the serial monitor, but it never moves forward or give an error. Checking the AWS Monitor, I see that my device does successfully connect (some times 2 or 3 times at once). I am not sure why this doesn't work? I tried changing the mbed-trace.enable and tls-socket.debug-level to 1 but it gives no error details.

Thank you for your time, Chris

22 Jan 2019

A useful tutorial but would be a bit better if what was been entered on the video, to publish and subscribe to a topic, could be read or described in the text to help a beginner get started. I'm guessing that a '#' was used as a wildcard for the subscription topic. I also guess that both the MQTT_TOPIC_PUB and MQTT_TOPIC_SUB had been set to "mbed-test" and that was the topic name used in the publish window.

Best wishes J

02 Feb 2019

Jan Kammerath wrote:

Jan Kammerath wrote:

Hi Osamu,

I follow your tutorial using the STM32 (DISCO-L475-IOT01A) with a little code changes for the WiFi using ST's demo lib to get the proper derived NetworkInterface instance. I did not touch the TLSSocket for it, so it's still the same that you used. However, I am now having issues with the certificate:

[INFO][TLSW]: mbedtls_ssl_conf_ca_chain()
[INFO][TLSW]: mbedtls_ssl_config_defaults()
[INFO][TLSW]: mbedtls_ssl_conf_authmode()
[INFO][TLSW]: mbedtls_ssl_conf_rng()
[INFO][TLSW]: mbedtls_ssl_setup()
[INFO][TLSW]: Starting TLS handshake with XXXXXXXXXXXXXX-ats.iot.eu-central-1.amazonaws.com
[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Do you have any idea on how to solve that?

Many thanks in advance! (Great tutorial BTW!)

Jan

Found the solution myself: updated the STM32L4's firmware, updated all libs (incl. TLSSocket) and used Amazon Root CA1 instead of the Verisign Legacy one in your example.

Thanks for the solution! How did you update the firmware by the way?

13 Apr 2020

Dear Koizumi-san

I try to test aws iot mqtt test using STM32L4 Discovery kit. but I have a problem of attached file. I think my wifi and cert file will be ok. I am familiar with AWS IoT. I have done using ESP32. It is oK for using same cert files. I also check your program. It will stop 194th row of "if(!mqttClient->isConnected())" Do you have any idea to solve problem? Masa https://os.mbed.com/media/uploads/skyrise1308/mqtt_trouble20200413.jpg

13 Apr 2020

Hi Masa-san,

Thank you for your report. Yes, the issue happens on my environment. I've created an issue on GitHub. Please watch this issue for updates. https://github.com/coisme/Mbed-to-AWS-IoT/issues/3

25 Jun 2020

Hi Osamu, I am using Cypress PSoC6 CY8CKIT-062-WiFi-BT mcu and it throws the error: rc from MQTT connect is -3004 Hope You can help

30 Jun 2020

Quote:

Hi Osamu, I am using Cypress PSoC6 CY8CKIT-062-WiFi-BT mcu and it throws the error: rc from MQTT connect is -3004 Hope You can help

Hi. Mbed OS official example for AWS IoT is available here: https://github.com/ARMmbed/mbed-os-example-aws

Please log in to post comments.