Connecting to Amazon AWS IoT

Table of Contents

  1. Introduction
  2. Prerequisites
  3. AWS IoT Core Setup
    Account Setup
    Setup a Policy
    Create a Thing
  4. Configure Device for AWS Connection
    Prerequisites
    Provisioning the Device Via UART
    Monitor AWS Messages
  5. AWS Topics

Introduction

The AWS Out-of-Box (OOB) Demo firmware connects to the Ezurio Bluegrass cloud by default. This document will describe how to setup a new AWS IoT core account and reconfigure the firmware to connect to it.

Prerequisites

  • AWS OOB demo firmware 3.x or later

AWS IoT Core Setup

Account Setup

Before starting, an AWS account is required. Amazon offers a free account that can be used for evaluation purposes.

Setup a Policy

In order for the IoT device to connect, a policy needs to be created to assign permissions to the device.

Login to the AWS IoT console

In the left-hand menu, navigate to Secure -> Policies.

Policies
Policies

Click Create a policy.

  • Give the policy a name.
  • Enter iot:* for the Action.
  • Enter * for the Resource ARN.
  • Check the Allow box.

Finally click Create.

Note: This policy is extremely permissive. It is recommend to setup policies only be as permissive as necessary. See here

Create Policy
Create Policy

Create a Thing

In the left-hand menu, navigate to Manage -> Things and click Create on the far right.

Click Create a single thing.

Enter a name and click Next.

Note: The OOB demo firmware expects the thing name to be in this format deviceId-<id> where <id> should be replaced by the IMEI of your device (for Pinnacle 100/MG100) or the Bluetooth address (in lower-case) of your device (for BL5340).

Thing Name
Thing Name

Create a certificate using the One-click certificate creation by clicking Create certificate.

Create Cert
Create Cert

Download the device certificate, keys, and Amazon Root CA.

Activate the certificate and then click attach policy.

Download Cert
Download Cert

Select the policy that was created previously and click Register Thing.

Attach Policy
Attach Policy

Configure Device for AWS Connection

The Pinnacle 100/MG100/BL5340 device can be provisioned to communicate with the Bluegrass AWS demo site via the mobile app. In order to connect to an alternate AWS IoT Core instance, the device can be provisioned via UART.

Prerequisites

  1. mcumgr CLI (cross platform)
  2. Pinnacle 100/MG100/BL5340 device running AWS OOB demo firmware v3.x or greater
  3. Terminal program: Putty (Windows,Linux,macOS), Teraterm (Windows), Serial (macOS)

Provisioning the Device Via UART

  1. Connect a terminal program to the console UART (FTDI UART on the DVK), decommission the device and turn off log messages. Log messages output by the firmware can interfere with the file transfer process.

    Issue command:

    attr set commissioned 0
    
    log halt
    
  2. Disconnect the terminal program from the console UART and transfer the credentials to the device using the mcumgr CLI via the console UART. Three files need to be transferred to the device, the root CA, client certificate, and client key.

    # Linux/macOS
    
    mcumgr -t 5 -r 2 --conntype serial --connstring dev=/dev/tty.usbserial-A908JLEI,mtu=2048 fs upload /Users/ryan/Desktop/test_aws/AmazonRootCA1.pem /lfs/root_ca.pem
    mcumgr -t 5 -r 2 --conntype serial --connstring dev=/dev/tty.usbserial-A908JLEI,mtu=2048 fs upload /Users/ryan/Desktop/test_aws/5d9f1885c1-certificate.pem.crt /lfs/client_cert.pem
    mcumgr -t 5 -r 2 --conntype serial --connstring dev=/dev/tty.usbserial-A908JLEI,mtu=2048 fs upload /Users/ryan/Desktop/test_aws/5d9f1885c1-private.pem.key /lfs/client_key.pem
    
    # Windows
    
    mcumgr -t 5 -r 2 --conntype serial --connstring dev=COM4,mtu=2048 fs upload C:\test_aws\AmazonRootCA1.pem /lfs/root_ca.pem
    mcumgr -t 5 -r 2 --conntype serial --connstring dev=COM4,mtu=2048 fs upload C:\test_aws\5d9f1885c1-certificate.pem.crt /lfs/client_cert.pem
    mcumgr -t 5 -r 2 --conntype serial --connstring dev=COM4,mtu=2048 fs upload C:\test_aws\5d9f1885c1-private.pem.key /lfs/client_key.pem
    
    
  3. Re-connect the terminal to the console UART and restart logging.

    log go
    
  4. Set AWS endpoint

    To direct the Pinnacle 100 device which AWS instance to connect to, the endpoint must be set. To determine the correct endpoint login to the AWS IoT console and click on the thing that was just registered. Go to the section labeled Interact and copy the endpoint listed under the HTTPS section.

    AWS Endpoint
    AWS Endpoint

    Connect the terminal program to the console UART and set the endpoint.

    attr set endpoint a3pefs972vw3m-ats.iot.us-east-1.amazonaws.com
    
  5. Set commissioned flag

    attr set commissioned 1
    

    Setting commissioning to 1 (true) will trigger the device to connect to the AWS instance.

TLS Peer Verification

Peer verification isn’t supported when using the self-signed certificates loaded by the mobile application. However, if using custom certs and if CoAP FOTA is not required, peer verification can be turned on from the command line. Peer verification is required to pass the AWS Device Advisor test suite. The setting change will not take effect until the next MQTT connect.

attr set peerVerify 2

Monitor AWS Messages

With the AWS IoT console, you can watch for MQTT data sent by the device. Got to the left-hand menu in the console and click on test.

In Subscription topic, enter $aws/things/deviceId-<id>/shadow/update where <id> is replaced by the IMEI of your device (for Pinnacle 100/MG100) or the Bluetooth address (in lower-case) of your device (for BL5340). Then click Subscribe to topic. JSON data will be displayed once the device sends data.

MQTT Data
MQTT Data