# AWS IoT Authentication and Authorization


In [1]:
%store -r home
home

'/Users/faermanj'

Create a Thing, a unique name helps to make references more clear.
Any computer can be a thing, lets use this notebook instance as our thing to begin.

In [2]:
%store -r HM
HM

'0524'

In [3]:
thing_name = f"NotebookThing{HM}"
thing_name

'NotebookThing0524'

In [4]:
! aws iot create-thing --thing-name {thing_name}

{
    "thingName": "NotebookThing0524",
    "thingArn": "arn:aws:iot:us-east-1:030555009967:thing/NotebookThing0524",
    "thingId": "e0de31e8-20f9-4aa7-b27f-1104b3d3c1f6"
}


Create a certificate and keys to authenticate your thing. 

In [5]:
! mkdir "{home}/aws_iot"

certificate_file = f"{home}/aws_iot/certificate{HM}.pem"
public_key = f"{home}/aws_iot/public-key{HM}.pem"
private_key = f"{home}/aws_iot/private-key{HM}.pem"

%store certificate_file
%store public_key
%store private_key

mkdir: /Users/faermanj/aws_iot: File exists
Stored 'certificate_file' (str)
Stored 'public_key' (str)
Stored 'private_key' (str)


In [6]:
certificateArn = ! aws iot create-keys-and-certificate \
  --set-as-active \
  --certificate-pem-outfile {certificate_file} \
  --public-key-outfile {public_key} \
  --private-key-outfile {private_key} \
  --query certificateArn \
  --output text
certificate_arn = certificateArn.s
certificate_arn

'arn:aws:iot:us-east-1:030555009967:cert/c72683b5f135324d3a4cb59d824564c68bc605b06cdf778f4ae3a429fe4503d9'

Download the root Certification Authority used by AWS IoT


In [7]:
ca_file = f"{home}/aws_iot/ca{HM}.pem"
%store ca_file
! wget https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem -O {ca_file}

Stored 'ca_file' (str)
--2018-01-31 05:24:33--  https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
Resolving www.symantec.com... 23.222.216.90, 2001:578:29:489::145b, 2001:578:29:4a1::145b
Connecting to www.symantec.com|23.222.216.90|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1758 (1.7K)
Saving to: ‘/Users/faermanj/aws_iot/ca0524.pem’


2018-01-31 05:24:33 (41.9 MB/s) - ‘/Users/faermanj/aws_iot/ca0524.pem’ saved [1758/1758]



Double check that you have the 4 files required for TLS mutual authentication used by AWS IoT
1. Private Key
1. Public Key
1. Certificate
1. Root CA

In [8]:
! printf "Private Key {private_key} " && [ -f {private_key} ] && printf "found" || printf "not found"
! printf "\nPublic Key {public_key} " && [ -f {public_key} ] && printf "found" || printf "not found"
! printf "\nCertificate {certificate_file} " && [ -f {certificate_file} ] && printf "found" || printf "not found"
! printf "\nCertification Authority {ca_file} " && [ -f {ca_file} ] && printf "found" || printf "not found"

Private Key /Users/faermanj/aws_iot/private-key0524.pem found
Public Key /Users/faermanj/aws_iot/public-key0524.pem found
Certificate /Users/faermanj/aws_iot/certificate0524.pem found
Certification Authority /Users/faermanj/aws_iot/ca0524.pem found

Create an IAM authorization policy stating what is going to be allowed.

In [9]:
#TODO: Use a more restrictive policy
policy_document = '''{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "iot:*",
    "Resource": "*"}]
}'''

In [10]:
policy_name = f"NotebooksPolicy{HM}"
policyArn = ! aws iot create-policy \
    --policy-name {policy_name} \
    --policy-document '{policy_document}' \
    --query policyArn \
    --output text
policyArn.s

'arn:aws:iot:us-east-1:030555009967:policy/NotebooksPolicy0524'

Attach certificate to thing and policy

In [11]:
! aws iot attach-policy \
    --policy-name {policy_name} \
    --target {certificate_arn}

In [12]:
! aws iot attach-thing-principal \
  --thing-name {thing_name} \
  --principal {certificate_arn}

# Connecting to AWS IoT

AWS IoT provides account-specific endpoints for your things to connect:

In [13]:
endpoint_address = !aws iot describe-endpoint --query endpointAddress --output=text
endpoint_address = endpoint_address.s
%store endpoint_address
endpoint_address

Stored 'endpoint_address' (str)


'a3p88ooj9y6ruv.iot.us-east-1.amazonaws.com'

Ready to go! Create your MQTT client instance:

In [14]:
from AWSIoTPythonSDK.MQTTLib import AWSIoTMQTTClient

client_id=f"NotebookCient{HM}"
mqtt = AWSIoTMQTTClient(client_id)
mqtt.configureEndpoint(endpoint_address, 8883)
mqtt.configureCredentials(ca_file, private_key, certificate_file)
mqtt.configureConnectDisconnectTimeout(10)
mqtt

<AWSIoTPythonSDK.MQTTLib.AWSIoTMQTTClient at 0x1039fda90>

# Receiving and Sending Messages

Connect to the service to send and receive messages:

In [15]:
mqtt.connect()

True

Subscribe to a topic:

In [16]:
topic_name ="notebook-topic"
%store topic_name
subscribe_qos = 1
def custom_callback(client, userdata, message):
    print("\nReceived a new message: \n")
    print(message.payload.decode("utf-8") )
    print("\n--------------\n")
    
mqtt.subscribe(topic_name, subscribe_qos, custom_callback)

Stored 'topic_name' (str)


True

Publish to a topic:

In [17]:
import uuid
import json
import datetime 
import random
import time
def genPayload():
    names = ["Sarah Jane", "Rory Williams", "Amy Pond", "Jack Harkness", "Clara Oswald", "Martha Jones", "Rose Tyler"] 
    name = random.choice(names)
    id = str(uuid.uuid4())
    now = int(time.time()*1000)
    noise = round(40 * random.random());
    data = {
        "id" : id ,
        "name" : name,
        "sistolic" : 110 + noise,
        "diastolic" : 70 + noise,
        "time_stamp" : now
    }
    payload = json.dumps(data)
    return payload
payloads = []
for x in range(100):
    payloads.append(genPayload())
%store payloads
payload = random.choice(payloads)
%store payload
payload

Stored 'payloads' (list)
Stored 'payload' (str)


'{"id": "decbdbfd-7329-4abf-b4d4-8b777b271c27", "name": "Rose Tyler", "sistolic": 134, "diastolic": 94, "time_stamp": 1517405078084}'

In [18]:
publish_qos = 0
mqtt.publish(topic_name, payload , publish_qos)

True

The subscribe_qos and publish_qos arguments refer to the quality of service parameter of the MQTT protocol. Selecting the QoS level is a tradeoff between delivery guarantee and performance, see the following resources for more infomation:

https://www.hivemq.com/blog/mqtt-essentials-part-6-mqtt-quality-of-service-levels

https://docs.aws.amazon.com//iot/latest/developerguide/protocols.html

All working fine, done for now, disconnect.

In [19]:
mqtt.disconnect()

True

Now we don't want to loose this data, right?
Let's proceed to the [Storing Telemetry Data](aws-iot-storing-telemetry.ipynb) notebook right now!