MQTT Cloud Profile: AWS IoT
This chapter describes the additional “AWS” tab of the MQTT plug-in. All general MQTT settings (standard profile) can be found under MQTT Plug-in Configuration.
Principle: The AWS tab supplements the standard configuration with fields for endpoint and client certificates. The other tabs (Connection settings, Storage, First Will, Last Will, Advanced) are configured as in the standard profile.
Tab: AWS
| Field | Description |
|---|---|
| API endpoint address | REST API endpoint of the AWS IoT object (Thing). You can find the value in AWS IoT under Manage → Things → (Your Thing) → Interact. |
| Import new certificate | Imports a new client certificate with associated private key into the OPC Router’s certificate management. |
| Certificate | File selection for the device certificate (*.crt / *.pem). |
| Private key file | File selection for the private key (*.key). |
| Select existing certificate | Uses a previously imported client certificate from certificate management. |
| Client certificate | Selection of the client certificate to be used (or Without). |
| Check connection | Checks the connection with the currently set values. |
The link note in the dialog leads directly to the [Knowledge Base article]. In AWS IoT, you can find the API endpoint on the Interact page of the selected thing.
Prerequisites in AWS IoT Core
- Create thing: Manage → Things → Register a thing → Create a single thing and name it.
- Create/activate certificates: Create certificate → Download certificate (CRT/PEM) and private key (KEY) → Activate.
- Create and assign policy: Secure → Policies → Create policy (e.g.,
iot:*to*as starting point) and Attach the policy to the certificate.
The exact policy should correspond to your security concept. Restrict actions/ARNs as far as possible.
Manage certificates in OPC Router
- Import certificate: Tools → Settings → Certificate Management → Client Certificates → Import.
- Assign private key: Select imported certificate → Add private key → Select KEY file.
- Check certificate: Check display in certificate list.
Configuration in the MQTT plug-in (AWS tab)
- Open Plug-ins → MQTT and create/edit an MQTT connection.
- Router settings: Assign a name, select Cloud profile: AWS.
- AWS:
-
Enter API endpoint address (copied from Interact).
-
Select Select existing certificate or use Import new certificate and specify the certificate + key.
- Run Check connection.
- Connection settings / First Will / Last Will / Advanced: Configure as required (as in the standard profile).
- Save with OK.
Typical settings / notes
- Port & TLS: AWS IoT uses TLS; Enable TLS/SSL should be active in Connection settings.
- Client ID: Use placeholders for parallel instances (e. g.
MyInstance-${hostname}-#[RAND:4]). - QoS: See MQTT Performance for effects on latency and execution time.
- Storage: For “last value” queries, enable MQTT Data Storage and define the desired patterns. Read about MQTT Storage Read Transfer Object.
Troubleshooting
| Symptom | Cause / Solution |
|---|---|
| Handshake/Authentication failed | Certificate/key not imported correctly or wrong certificate selected. Check certificate management and re-import if necessary. |
| Access denied | Policy missing or too restrictive. Check in AWS IoT under Secure → Policies and Attach to the certificate. |
| No route to host / Timeout | Endpoint incorrect, port/firewall blocked or TLS disabled. Recopy endpoint from Interact, check TLS/port. |
| Duplicate Client ID | Multiple instances with the same client ID. Use a placeholder or Random. |
See also
- Main configuration: MQTT Plug-in Configuration
- Performance/RTT/QoS: MQTT Performance
- Storage Read: MQTT Storage Read Transfer Object