AWS IoT + RUT956 MQTT Bridge

cloudea · December 8, 2023, 11:07am

Hi Everyone,

I have a Teltonika RUT956 acting as an MQTT broker. I have a data logger connected to the RUT956 LAN port and publishing MQTT messages to the Teltonika broker.

Let’s say the first part of my topic is:
X1234

The next thing I created is a MQTT Bridge in RUT956. The bridge connection name is AWSIoT. Inside the bridge, I added an outgoing topic with a filter X1234/#.

I can see in my AWS IoT logs that the bridge is sending the MQTT messages to the AWS IoT broker.

Now here is the problem.

If I create an AWS IoT Thing Policy which allows all actions and resources, then it works fine, but this is not good security. If I try to restrict the policy it stops working, because the iot:Connect action does not allow wildcards unless the Thing Name in AWS matches the Client ID coming from the Teltonika.

The Teltonika router automatically creates the client ID in the format of .. In other words, for example, RUT956.AWSIoT.

The problem is that AWS Thing names are not allowed to have a full stop (.) in the name. They can only contain letters, numbers, hyphens, colons and underscores.

Can you please release a firmware where the Client ID is configurable for the bridge or the client ID is created using an underscore? For example: RUT956_AWSIoT

Please let me know if this is possible, otherwise it is impossible to use Teltonika MQTT Bridge with AWS IoT without a very bad security policy.

Thank you!

cloudea · December 11, 2023, 1:14am

I think I figured something out.

You can actually override the Client ID by editing the MQTT bridge settings and enabling the “Use remote bridge login” option. Once that is turned on set the “Remote ID” to whatever Client ID that you want to use. You can leave the username and password blank.

I wasn’t expecting this option to be hidden in the “Use remote bridge login” option, but there it was! I tested this and now the bridge works with AWS IoT Core.

As long as your “Thing Name” in AWS IoT matches the “Remote ID” setting, in other words the client IDs are the same, you can use an AWS IoT policy like this (remember to replace the account region and number, client ID and topic with your own):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": "true"
        }
      },
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:ap-southeast-2:123456789012:client/my_client_id"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:ap-southeast-2:123456789012:topic/mytopic"
    }
  ]
}

Note that if your device sets the MQTT “Retain Flag” then you also need to provide an additional statement in the above policy.

{
  "Effect": "Allow",
  "Action": "iot:RetainPublish",
  "Resource": "arn:aws:iot:ap-southeast-2:123456789012:topic/*"
}

Here is a picture from the RUT956:

system · December 23, 2023, 11:08am

This topic was automatically closed after 15 days. New replies are no longer allowed.