How to connect to AWS IoT Using Paho MQTT Client?

Madhu V Swamy

30 Aug 2019


AWS IoT is a great service that will help your devices connect to the MQTT broker without you worrying about deploying and managing the MQTT broker.

While the AWS IoT’s rule engine is great, one would often end up having the need to subscribe to the device data(Shadow, custom topics, connected status) from their code outside Lambda.

Below is a sample Python code that can be used to connect and subscribe device’s data using Paho MQTT client.

Step-1: Install paho

AWS IoT only allows encrypted and authenticated connections. So you would need to create your certificates before connecting. Below are the important steps and different from your regular MQTT broker.

Step-2: Create CA and key file

  • Create a Certificate Authority(CA) and CA key file. If you already have one, you can use the same. Below are the steps using which you can create your CA.

               $openssl genrsa -des3 -out myCA.key 2048

(please note the password which you enter here. It is required in the further steps).

                       $openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

  • Now you would have both the CA and key file.

Step-3: Generate and Register Certificate file

  • Login to AWS IoT Console and Go to Secure > CAs

  • Click on Register > Register CA.

  • In step-4 listed there, change the CA and key file path to the files that you generated in the above step.

$openssl x509 -req -in verificationCert.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256

FQIb 16XXcyDooaH9ilYfPoIO8G3 EAAbpklT tiDHZHVtd5 7sTtqZx YD8DA8x8kgkInprN1T4algfNfzKUyZzT9i1BKbYukiQtJ1 XSmsaZcniyn2rPZVgDVunjsiWKiBDeD

  • Now you need the CA file(.pem) and verification certificate which you can upload on the same page. Click on Register CA Certificate and you should have the CA registered.

                  MNLK csRMfiTzsljBTJwJAzo0Z2Y4EMxnlvfh5K33CAmO43Y1uCLkfUV4xySdHveMd 88b8feCweHm tzBFEl6vddmje

  • Now go to Secure > Certificates to register your certificate.

  • Click on Create ceritifcate > Use My certificate.

  • Now select the registered CA that you have just created.

  • Click on Select certificates > Browse the verificationCert.crt file that you had created in the above steps and upload. Once its successfully uploaded you should have it listed under Secure>Certificates

Step-4: Create a policy

  • Now you need to create a policy which will let you access AWS IoT resources.

  • Go to Secure > Policy > Create

  • Give it a name and select advanced mode. Copy the below JSON and save. This policy will allow you to send IoT commands like publish, connect, subscribe etc to all the resources.


Step-5: Attach the policy to certificate

  • Go to Secure > Certificates. Select the certificate which you created in the above step. Select the Actions drop-down > Attach Policy. Select the policy you created above and click on Save.

UJu62eSmlfgRRcepTi2CeP9KIraqFIjQEHHv G3S56ZE0M z72WTikcX54R uGxVLOnUBOpWvbuootloMfZLpoMVkzrzdEzkhUAORHbG5muegpG1S Am Lkl6CIlR8BehYr1

You have everything that required. Let’s get back to the program.

Step-6: Code changes.

  • Please add this line before connecting to the broker.

client.tls_set(caPath, certfile = certPath,  keyfile = keyFile)

  • To get the broker endpoint please go to settings in AWS IoT console. You should be able to see the broker address. Provide this endpoint as a parameter to your connect function.

  • AWS IoT doesn’t allow non-secure connections. So change the port number to 8883

This should help you to connect, subscribe and publish to the AWS IoT broker. Please feel free to reach out to if you need help on connecting your things to AWS IoT.