Tulip Interface to AWS IoT Core Integration - AWS Console Guide
Overview
This guide shows how to connect your Tulip Interface to AWS IoT Core using only the AWS Console - no command line required!
Prerequisites
- AWS Console access with IoT permissions
- Access to Tulip Interface with MQTT connector capability
- Web browser
Step 1: Create IoT Thing
1.1 Navigate to AWS IoT Console
- Go to AWS IoT Console
- In the left sidebar, click Manage → Things
1.2 Create New Thing
- Click Create things
- Select Create single thing
- Click Next
- Enter Thing name:
tulip-interface-client - Leave other fields as default
- Click Next
Step 2: Create Device Certificate
2.1 Certificate Configuration
- Select Auto-generate a new certificate
- Click Next
2.2 Create IoT Policy
- Click Create policy
- In the new tab that opens:
- Policy name:
TulipMQTTPolicy - Policy document: Click JSON tab and paste:
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": "*" } ] } - Click Create
- Return to the previous tab
2.3 Attach Policy
- Refresh the policy list
- Select TulipMQTTPolicy
- Click Create thing
Step 3: Download Certificate Files
3.1 Download Required Files
IMPORTANT: Download these files immediately (you can't download them later):
- Device certificate → Save as
certificate.pem.crt - Private key file → Save as
private.pem.key - Amazon Root CA 1 → Save as
AmazonRootCA1.pem - Click Done
3.2 Create Certificate Chain File
- Open
certificate.pem.crtin a text editor - Open
AmazonRootCA1.pemin a text editor - Create a new file called
cert_chain.pem - Copy the entire contents of
certificate.pem.crtintocert_chain.pem - Add a new line at the end
- Copy the entire contents of
AmazonRootCA1.pemand append tocert_chain.pem - Save
cert_chain.pem
Step 4: Convert Private Key Format
4.1 Online Conversion Tool
Since we're avoiding command line, use an online tool:
- Go to SSL Converter or similar tool
- Select Convert from: RSA Private Key
- Select Convert to: PKCS#8
- Upload your
private.pem.keyfile - Download the converted file as
private_pkcs8.pem
Security Note: For production, use offline tools or command line for better security.
Step 5: Get IoT Endpoint
5.1 Find Your Endpoint
- In AWS IoT Console, go to Settings (left sidebar)
- Under Device data endpoint, copy the endpoint URL
- It looks like:
a1234567890123-ats.iot.us-west-1.amazonaws.com - Save this URL - you'll need it for Tulip configuration
Step 6: Configure Tulip Interface MQTT Connector
6.1 MQTT Connection Settings
In your Tulip Interface MQTT connector, configure:
- MQTT Broker Host:
[Your endpoint from Step 5] - Port:
8883 - Protocol:
MQTT over TLSorMQTTS - Client ID:
tulip-interface-client
6.2 Certificate Configuration
Upload these files to Tulip Interface:
- Certificate File: Upload
cert_chain.pem - Private Key File: Upload
private_pkcs8.pem - CA Certificate File: Upload
AmazonRootCA1.pem
6.3 Topic Configuration
- Publish Topic:
tulip/data - Subscribe Topic:
tulip/commands(optional)
Step 7: Enable CloudWatch Logging (Optional)
7.1 Create IAM Role
- Go to IAM Console
- Click Roles → Create role
- Select AWS service → IoT
- Click Next
- Search and select CloudWatchLogsFullAccess
- Click Next
- Role name:
IoTLogsRole - Click Create role
7.2 Enable IoT Logging
- Return to AWS IoT Console
- Go to Settings (left sidebar)
- Under Logs, click Edit
- Level of verbosity: Info
- Set role: Select
IoTLogsRole - Click Update
Step 8: Test Connection
8.1 Monitor in AWS Console
- Go to Test → MQTT test client
- Click Subscribe to a topic
- Topic filter:
tulip/data - Click Subscribe
8.2 Test from Tulip
- Send a test message from Tulip Interface
- You should see the message appear in the AWS MQTT test client
8.3 Check CloudWatch Logs (if enabled)
- Go to CloudWatch Console
- Click Logs → Log groups
- Find AWSIotLogsV2
- Click on the log group to view connection logs
Troubleshooting
Common Issues and Console Solutions
1. Certificate Not Working
Problem: Connection fails with certificate errors
Solution:
- Ensure you're using cert_chain.pem (not individual certificate)
- Verify private key is in PKCS#8 format (private_pkcs8.pem)
2. Policy Issues
Problem: Authorization failures in logs
Solution:
1. Go to Secure → Policies
2. Click on TulipMQTTPolicy
3. Verify the JSON policy allows "iot:*" on "*" resources
3. Wrong Endpoint
Problem: Cannot connect to broker
Solution:
1. Go to Settings in IoT Console
2. Copy the exact endpoint URL (including -ats suffix)
3. Use port 8883
4. Certificate Not Attached
Problem: Authentication failures
Solution:
1. Go to Secure → Certificates
2. Click on your certificate
3. Check Things and Policies tabs
4. Ensure tulip-interface-client thing and TulipMQTTPolicy are attached
File Summary
You should have these files for Tulip configuration:
📁 Downloaded Files
├── certificate.pem.crt # Original device certificate
├── private.pem.key # Original private key
├── AmazonRootCA1.pem # Amazon Root CA
├── cert_chain.pem # Certificate + Root CA ← Use this
└── private_pkcs8.pem # Converted private key ← Use this
Quick Reference Card
Tulip MQTT Configuration Summary
| Setting | Value |
|---|---|
| Host | [your-endpoint]-ats.iot.[region].amazonaws.com |
| Port | 8883 |
| Client ID | tulip-interface-client |
| Topic | tulip/data |
| Certificate | cert_chain.pem |
| Private Key | private_pkcs8.pem |
| CA Certificate | AmazonRootCA1.pem |
AWS Console Quick Links
- IoT Console - Main IoT management
- MQTT Test Client - Test messages
- CloudWatch Logs - View connection logs
- IAM Console - Manage roles and policies
Success Indicators
✅ Connection Successful
- Tulip Interface shows "Connected" status
- Messages appear in AWS MQTT test client when subscribed to
tulip/data - CloudWatch logs show successful
Publish-Inevents
❌ Connection Failed
- Check certificate files are correct format
- Verify endpoint URL is exact match from AWS Console
- Ensure port 8883 is used
- Confirm client ID matches thing name exactly
Security Best Practices
- Certificate Storage: Store certificate files securely in Tulip
- Policy Refinement: After testing, create more restrictive policies
- Monitoring: Enable CloudWatch logging for production monitoring
- Regular Rotation: Plan for certificate rotation (certificates expire in 2049)
Support Resources
- AWS IoT Documentation: docs.aws.amazon.com/iot
- Tulip Support: Contact Tulip support for MQTT connector issues
- AWS Support: Use AWS Support for IoT Core issues
Note: This guide uses the AWS Console exclusively. For automation or scripting, refer to the CLI-based guide.