SORACOM Developers

Documents

Using SORACOM Beam to connect to AWS IoT

Introduction

Previously, we showed you a way to connect with AWS via SORACOM Beam (hereon “Beam”) over HTTP using API Gateway. In this article, we explain a way to leverage SORACOM Beam in order to send data from your IoT device to AWS IoT, the new service presented at the AWS Re:invent conference in October 2015.

About AWS IoT

AWS IoT is a cloud platform that allows you to securely send data from a device (Thing) to the cloud, or to use rules to let the transmitted data interact with other AWS services.

image (Source: AWS IoT documentation: How AWS IoT works)

There are two ways to send data from the device (Thing) to the cloud.

In this article, we send data using MQTTS. We want the transmitted data to result in an email notification from SNS.

About Beam

Beam is a proxy service that receives data sent from a device equipped with a SORACOM Air SIM card, and processes it in the cloud.

About Beam

In this article, we use the MQTT->MQTTS protocol conversion (encryption) functionality. This functionality can be useful for, for instance, devices with limited CPU power that can handle the MQTT protocol, but struggle with MQTTS.

SORACOM Beam also makes it easier to manage certificates. Client certificates need to be copied onto all devices to enable every device to use them, but SORACOM Beam manages client certificates in the device’s stead and takes care of the authentication via TLS.

Configuring AWS IoT

Open the AWS IoT console to start configuring AWS IoT.

AWS IoT

First, we will create a device (Thing). To access the device creation screen, click on the left menu “Registry” and then “Things”

AWS IoT

On the Things screen, click on “Register a thing”.

AWS IoT

We will now register a thing. Enter a name and click “Create thing”. Here, we have used the name “Soracom_Beam”, no need to add any of the options.

AWS IoT

Your thing has been created, we will now create its security certificate, click on “Security”.

AWS IoT

On the Certificates screen, click on “Create certificate”, this will let you create a certificate signed by AWS IoT root certificate.

AWS IoT

Once your certificate has been created, download your certificate, public and private keys as well as AWS IoT root certificate.

AWS IoT

AWS IoT

Now that all certificates have been downloaded, we will attach a policy to allow the thing using these certificates to use AWS IoT MQTT, click on “Attach a policy”.

AWS IoT

On the policy screen, click on “Create new policy”.

AWS IoT

On the policy creation page, we used the name “Soracom_Beam”, make sure to add both connect and publish actions “iot:Connect,iot:Publish” as well as setup the correct ARN > topic, in this case we used “beamdemo” and select “Allow” as effect.

AWS IoT

As you complete your policy, click on “Create”

AWS IoT

We need to modify the policy so that it works correctly with both “iot:Connect” and “iot:Publish” Actions, click on “Edit policy document” and add the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": "arn:aws:iot:ap-northeast-1:<your_aws_account_id>:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": "arn:aws:iot:ap-northeast-1:<your_aws_account_id>:topic/beamdemo"
    }
  ]
}

AWS IoT

Now that the policy has been created, click on the “Arrow” to go back to AWS IoT Policies screen

AWS IoT

Click on “Certificates”

AWS IoT

On the certificates screen, click on the certificate’s configuration menu “…”, click on “Activate” to make sure the certificate works and then click on “Attach policy”

AWS IoT

Select the “Soracom_Beam” policy we just created and click on “Attach”.

AWS IoT

Now that our thing, certificate and policy have all been created and activated, we will create a rule to handle incoming messages, click on “Rules” and then “Create a rule”

AWS IoT

On the rule screen, we add “*” as attribute and “beamdemo” as Topic filter, then click on “Add action”.

AWS IoT

The next screen shows options for setting up actions, we will use “SNS push notification”, select it and click on “Configure action”.

AWS IoT

On the SNS push notification screen, we created “my-sns-topic”, put the message format in “RAW” and created the “Soracom_Beam” role, once done click on ”Add action”.

AWS IoT

On top of the rule screen, we add the “BeamDemo” name and click on “Create rule” at the bottom of the screen.

AWS IoT

AWS IoT thing and rule are now configured, you can go back to Soracom console.

Configuring SORACOM Beam

Preparation

Necessary certificate files

You will need the following certificate files, which you obtained while configuring the AWS IoT Thing.

In addition to these two files, you also need the file below.

Configuring Beam

Now we configure SORACOM Beam. SORACOM Beam can be configured in the group settings of the SORACOM user console. Log in to the user console and open the Groups tab. On the screen, click the “Add” button to create a group. (Here we use the group name “AWS IoT.” )

AWS IoT

In the list, click the group that you created.

AWS IoT

In the settings screen, click the “+” button under “SORACOM Beam settings,” then choose “MQTT entry point.”

AWS IoT

Choosing “MQTT entry point.”

AWS IoT

Make sure the forwarding settings match the following.

AWS IoT

Next, we enter the certificates. If you have already registered certificates, these will be shown. If you have not yet registered any certificates, add them by clicking the “+” button.

AWS IoT

The authentication ID can be any string consisting of half-width alphanumeric characters, hyphens, or underscores. Copy and paste the contents of the files that you downloaded earlier. See below for details about where to enter the contents of which file. (Both files are text files, so you can open them in any text editor and copy the contents from there.)

AWS IoT

You have now finished configuring Beam.

Data transmission demo

Now, we will try to send some data. Add an Air SIM card to the group you just created. 

AWS IoT

Run the following command from a device that is using an Air SIM card belonging to this group to transmit data.

pi@raspberrypi ~ $ mosquitto_pub -d -h beam.soracom.io -t beamdemo -m "Hello, World"
Received CONNACK
Sending PUBLISH (d0, q0, r0, m1, 'beamdemo', ... (12 bytes))

After you send the data, you can verify the email via SNS.

AWS IoT

As you can tell by the result of the command, if you use a device with an Air SIM card that belongs to a group for which Beam has been configured, you can send data to AWS IoT without specifying a certificate.

If you do not use Beam, you will have to specify a certificate as described on the Verify MQTT Subscribe and Publish page of the AWS IoT documentation before sending data, as pictured below.

$ mosquitto_pub --cafile rootCA.pem \
  --cert cert.pem \
  --key thing-private-key.pem \
  -h data.iot.us-east-1.amazonaws.com -p 8883 \
  -q 1 -d -t topic/test -i clientid2 -m "Hello, World"

Certificates can be held by Beam instead of on devices. With Beam, there is no more need to keep certificates on a device. When a certificate changes, Beam is the only place where you need to configure settings to reflect that change.

This article guided you through sending a notification to SNS. Try using Beam for actions that use various other AWS services, such as saving data to S3 or DynamoDB, or executing Lambda functions.

Getting Started

SORACOM Air for Cellular

SORACOM Air for Sigfox

SORACOM Beam

SORACOM Canal/Direct/Door

SORACOM Endorse

SORACOM Funnel

SORACOM Gate

SORACOM Harvest

SORACOM Inventory

SORACOM Junction

SORACOM Krypton

SORACOM Lagoon

Service Detail

Developer Tools

pagetop