This sample uses the Message Broker for AWS IoT to send and receive messages through an MQTT connection using MQTT5.
MQTT5 introduces additional features and enhancements that improve the development experience with MQTT. You can read more about MQTT5 in the Java V2 SDK by checking out the MQTT5 user guide.
Your IoT Core Thing's Policy must provide privileges for this sample to connect, subscribe, publish, and receive. Below is a sample policy that can be used on your IoT Core Thing that will allow this sample to run as intended.
(see sample policy)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:region:account:topic/test/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:region:account:topicfilter/test/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:region:account:client/test-*" ] } ] } Replace with the following with the data from your AWS account:
<region>: The AWS IoT Core region where you created your AWS IoT Core thing you wish to use with this sample. For exampleus-east-1.<account>: Your AWS IoT Core account ID. This is the set of numbers in the top right next to your AWS account name when using the AWS IoT Core website.
Note that in a real application, you may want to avoid the use of wildcards in your ClientID or use them selectively. Please follow best practices when working with AWS on production applications using the SDK. Also, for the purposes of this sample, please make sure your policy allows a client ID of test-* to connect or use --client_id <client ID here> to send the client ID your policy supports.
To Run this sample using a direct MQTT connection with a key and certificate, go to the node/pub_sub_mqtt5 folder and run the following commands:
npm install node dist/index.js --endpoint <endpoint> --cert <file> --key <file>You can also pass a Certificate Authority file (CA) if your certificate and key combination requires it:
npm install node dist/index.js --endpoint <endpoint> --cert <file> --key <file> --ca_file <path to root CA>To Run this sample using Websockets, go to the node/pub_sub_mqtt5 folder and run the follow commands:
npm install node dist/index.js --endpoint <endpoint> --region <signing region>Note that to run this sample using Websockets, you will need to set your AWS credentials in your environment variables or local files. See the authorizing direct AWS page for documentation on how to get the AWS credentials, which then you can set to the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables.
We strongly recommend using the AwsIotMqtt5ClientConfigBuilder class to configure MQTT5 clients when connecting to AWS IoT Core. The builder simplifies configuration for all authentication methods supported by AWS IoT Core. This section shows samples for all authentication possibilities.
- Direct MQTT with X509-based mutual TLS
- MQTT over Websockets with Sigv4 authentication
- Direct MQTT with Custom Authentication
- Direct MQTT with PKCS11
- Direct MQTT with PKCS12
For X509 based mutual TLS, you can create a client where the certificate and private key are configured by path:
letbuilder=AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPath(<account-specificendpoint>,<path-to-X509-certificate-pem-file>,<path-to-private-key-pem-file>);// other builder configuration// ...letclient : Mqtt5Client=newMqtt5Client(builder.build()));You can also create a client where the certificate and private key are in memory:
letcert=fs.readFileSync(<pathtocertificatepemfile>,'utf8');letkey=fs.readFileSync(<pathtoprivatekeypemfile>,'utf8');letbuilder=AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromMemory(<account-specificendpoint>,cert,key);// other builder configuration// ...letclient : Mqtt5Client=newMqtt5Client(builder.build());Sigv4-based authentication requires a credentials provider capable of sourcing valid AWS credentials. Sourced credentials will sign the websocket upgrade request made by the client while connecting. The default credentials provider chain supported by the SDK is capable of resolving credentials in a variety of environments according to a chain of priorities:
Environment -> Profile (local file system) -> STS Web Identity -> IMDS (ec2) or ECS If the default credentials provider chain and built-in AWS region extraction logic are sufficient, you do not need to specify any additional configuration:
letbuilder=AwsIotMqtt5ClientConfigBuilder.newWebsocketMqttBuilderWithSigv4Auth(<account-specificendpoint>);// other builder configuration// ...letclient : Mqtt5Client=newMqtt5Client(builder.build());Alternatively, if you're connecting to a special region for which standard pattern matching does not work, or if you need a specific credentials provider, you can specify advanced websocket configuration options.
// sourcing credentials from the Cognito service in this exampleletcognitoConfig: CognitoCredentialsProviderConfig={endpoint: "<cognito endpoint to query credentials from>",identity: "<cognito identity to query credentials relative to>"};letoverrideProvider: CredentialsProvider=AwsCredentialsProvider.newCognito(cognitoConfig);letwsConfig : WebsocketSigv4Config={credentialsProvider: overrideProvider,region: "<special case region>"};letbuilder=AwsIotMqtt5ClientConfigBuilder.newWebsocketMqttBuilderWithSigv4Auth("<account-specific endpoint>",wsConfig);// other builder configuration// ...letclient : Mqtt5Client=newMqtt5Client(builder.build());AWS IoT Core Custom Authentication allows you to use a lambda to gate access to IoT Core resources. For this authentication method, you must supply an additional configuration structure containing fields relevant to AWS IoT Core Custom Authentication.
If your custom authenticator does not use signing, you don't specify anything related to the token signature:
letcustomAuthConfig : MqttConnectCustomAuthConfig={authorizerName: "<Name of your custom authorizer>",username: "<Value of the username field that should be passed to the authorizer's lambda>",password: <Binarydatavalueofthepasswordfieldtobepassedtotheauthorizerlambda>};letbuilder=AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithCustomAuth("<account-specific endpoint>",customAuthConfig);letclient : Mqtt5Client=newmqtt5.Mqtt5Client(builder.build());If your custom authorizer uses signing, you must specify the three signed token properties as well. The token signature must be the URI-encoding of the base64 encoding of the digital signature of the token value via the private key associated with the public key that was registered with the custom authorizer. It is your responsibility to URI-encode the token signature.
letcustomAuthConfig : MqttConnectCustomAuthConfig={authorizerName: "<Name of your custom authorizer>",username: "<Value of the username field that should be passed to the authorizer's lambda>",password: <Binarydatavalueofthepasswordfieldtobepassedtotheauthorizerlambda>,tokenKeyName: "<Name of the username query param that will contain the token value>",tokenValue: "<Value of the username query param that holds the token value that has been signed>",tokenSignature: "<URI-encoded base64-encoded digital signature of tokenValue>"};letbuilder=AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithCustomAuth("<account-specific endpoint>",customAuthConfig);letclient : Mqtt5Client=newmqtt5.Mqtt5Client(builder.build());In both cases, the builder will construct a final CONNECT packet username field value for you based on the values configured. Do not add the token-signing fields to the value of the username that you assign within the custom authentication config structure. Similarly, do not add any custom authentication related values to the username in the CONNECT configuration optionally attached to the client configuration. The builder will do everything for you.
A MQTT5 direct connection can be made using a PKCS11 device rather than using a PEM encoded private key, the private key for mutual TLS is stored on a PKCS#11 compatible smart card or Hardware Security Module (HSM). To create a MQTT5 builder configured for this connection, see the following code:
letpkcs11Options : Pkcs11Options={pkcs11_lib: "<path to PKCS11 library>",user_pin: "<Optional pin for PKCS11 device>",slot_id: "<Optional slot ID containing PKCS11 token>",token_label: "<Optional label of the PKCS11 token>",private_key_object_label: "<Optional label of the private key object on the PKCS#11 token>",cert_file_path: "<Path to certificate file. Not necessary if cert_file_contents is used>",cert_file_contents: "<Contents of certificate file. Not necessary if cert_file_path is used>"};letbuilder=AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs11("<account-specific endpoint>",pkcs11Options);letclient : Mqtt5Client=newmqtt5.Mqtt5Client(builder.build());Note: Currently, TLS integration with PKCS#11 is only available on Unix devices.
A MQTT5 direct connection can be made using a PKCS12 file rather than using a PEM encoded private key. To create a MQTT5 builder configured for this connection, see the following code:
letbuilder=AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs12("<account-specific endpoint>","<PKCS12 file>","<PKCS12 password>");letclient : Mqtt5Client=newmqtt5.Mqtt5Client(builder.build());Note: Currently, TLS integration with PKCS#12 is only available on MacOS devices.
No matter what your connection transport or authentication method is, you may connect through an HTTP proxy by applying proxy configuration to the builder:
letbuilder=AwsIoTMqtt5ClientConfigBuilder.<authenticationmethod>(...);letproxyOptions : HttpProxyOptions=newHttpProxyOptions("<proxy host>",<proxyport>);builder.withHttpProxyOptions(proxyOptions);letclient : Mqtt5Client=newMqtt5Client(builder.build());SDK Proxy support also includes support for basic authentication and TLS-to-proxy. SDK proxy support does not include any additional proxy authentication methods (kerberos, NTLM, etc...) nor does it include non-HTTP proxies (SOCKS5, for example).
