--- title: "AWS IoT Core (MQTT Broker) Integration Guide" slug: "aws-iot-core-mqtt-broker-integration-guide" updated: 2025-11-14T15:34:17Z published: 2025-11-14T15:34:17Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.tulip.co/llms.txt > Use this file to discover all available pages before exploring further. # AWS IoT Core (MQTT Broker) Integration Guide # Tulip Interface to AWS IoT Core Integration - AWS Console Guide ## Overview This guide shows how to connect your Tulip Interface to AWS IoT Core using **only the AWS Console** - no command line required! ## Prerequisites - AWS Console access with IoT permissions - Access to Tulip Interface with MQTT connector capability - Web browser --- ## Step 1: Create IoT Thing ### 1.1 Navigate to AWS IoT Console 1. Go to [AWS IoT Console](https://console.aws.amazon.com/iot/) 2. In the left sidebar, click **Manage** → **Things** ### 1.2 Create New Thing 1. Click **Create things** 2. Select **Create single thing** 3. Click **Next** 4. Enter Thing name: `tulip-interface-client` 5. Leave other fields as default 6. Click **Next** --- ## Step 2: Create Device Certificate ### 2.1 Certificate Configuration 1. Select **Auto-generate a new certificate** 2. Click **Next** ### 2.2 Create IoT Policy 1. Click **Create policy** 2. In the new tab that opens: 3. **Policy name**: `TulipMQTTPolicy` 4. **Policy document**: Click **JSON** tab and paste: `json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": "*" } ] }` 5. Click **Create** 6. Return to the previous tab ### 2.3 Attach Policy 1. Refresh the policy list 2. Select **TulipMQTTPolicy** 3. Click **Create thing** --- ## Step 3: Download Certificate Files ### 3.1 Download Required Files **IMPORTANT**: Download these files immediately (you can't download them later): 1. **Device certificate** → Save as `certificate.pem.crt` 2. **Private key file** → Save as `private.pem.key` 3. **Amazon Root CA 1** → Save as `AmazonRootCA1.pem` 4. Click **Done** ### 3.2 Create Certificate Chain File 1. Open `certificate.pem.crt` in a text editor 2. Open `AmazonRootCA1.pem` in a text editor 3. Create a new file called `cert_chain.pem` 4. Copy the entire contents of `certificate.pem.crt` into `cert_chain.pem` 5. Add a new line at the end 6. Copy the entire contents of `AmazonRootCA1.pem` and append to `cert_chain.pem` 7. Save `cert_chain.pem` --- ## Step 4: Convert Private Key Format ### 4.1 Online Conversion Tool Since we're avoiding command line, use an online tool: 1. Go to [SSL Converter](https://www.sslshopper.com/ssl-converter.html) or similar tool 2. Select **Convert from**: RSA Private Key 3. Select **Convert to**: PKCS#8 4. Upload your `private.pem.key` file 5. Download the converted file as `private_pkcs8.pem` **Security Note**: For production, use offline tools or command line for better security. --- ## Step 5: Get IoT Endpoint ### 5.1 Find Your Endpoint 1. In AWS IoT Console, go to **Settings** (left sidebar) 2. Under **Device data endpoint**, copy the endpoint URL 3. It looks like: `a1234567890123-ats.iot.us-west-1.amazonaws.com` 4. **Save this URL** - you'll need it for Tulip configuration --- ## Step 6: Configure Tulip Interface MQTT Connector ### 6.1 MQTT Connection Settings In your Tulip Interface MQTT connector, configure: - **MQTT Broker Host**: `[Your endpoint from Step 5]` - **Port**: `8883` - **Protocol**: `MQTT over TLS` or `MQTTS` - **Client ID**: `tulip-interface-client` ### 6.2 Certificate Configuration Upload these files to Tulip Interface: 1. **Certificate File**: Upload `cert_chain.pem` 2. **Private Key File**: Upload `private_pkcs8.pem` 3. **CA Certificate File**: Upload `AmazonRootCA1.pem` ### 6.3 Topic Configuration - **Publish Topic**: `tulip/data` - **Subscribe Topic**: `tulip/commands` (optional) --- ## Step 7: Enable CloudWatch Logging (Optional) ### 7.1 Create IAM Role 1. Go to [IAM Console](https://console.aws.amazon.com/iam/) 2. Click **Roles** → **Create role** 3. Select **AWS service** → **IoT** 4. Click **Next** 5. Search and select **CloudWatchLogsFullAccess** 6. Click **Next** 7. Role name: `IoTLogsRole` 8. Click **Create role** ### 7.2 Enable IoT Logging 1. Return to [AWS IoT Console](https://console.aws.amazon.com/iot/) 2. Go to **Settings** (left sidebar) 3. Under **Logs**, click **Edit** 4. **Level of verbosity**: Info 5. **Set role**: Select `IoTLogsRole` 6. Click **Update** --- ## Step 8: Test Connection ### 8.1 Monitor in AWS Console 1. Go to **Test** → **MQTT test client** 2. Click **Subscribe to a topic** 3. **Topic filter**: `tulip/data` 4. Click **Subscribe** ### 8.2 Test from Tulip 1. Send a test message from Tulip Interface 2. You should see the message appear in the AWS MQTT test client ### 8.3 Check CloudWatch Logs (if enabled) 1. Go to [CloudWatch Console](https://console.aws.amazon.com/cloudwatch/) 2. Click **Logs** → **Log groups** 3. Find **AWSIotLogsV2** 4. Click on the log group to view connection logs --- ## Troubleshooting ### Common Issues and Console Solutions #### 1. Certificate Not Working **Problem**: Connection fails with certificate errors **Solution**: - Ensure you're using `cert_chain.pem` (not individual certificate) - Verify private key is in PKCS#8 format (`private_pkcs8.pem`) #### 2. Policy Issues **Problem**: Authorization failures in logs **Solution**: 1. Go to **Secure** → **Policies** 2. Click on **TulipMQTTPolicy** 3. Verify the JSON policy allows `"iot:*"` on `"*"` resources #### 3. Wrong Endpoint **Problem**: Cannot connect to broker **Solution**: 1. Go to **Settings** in IoT Console 2. Copy the exact endpoint URL (including `-ats` suffix) 3. Use port `8883` #### 4. Certificate Not Attached **Problem**: Authentication failures **Solution**: 1. Go to **Secure** → **Certificates** 2. Click on your certificate 3. Check **Things** and **Policies** tabs 4. Ensure `tulip-interface-client` thing and `TulipMQTTPolicy` are attached --- ## File Summary You should have these files for Tulip configuration: ``` 📁 Downloaded Files ├── certificate.pem.crt # Original device certificate ├── private.pem.key # Original private key ├── AmazonRootCA1.pem # Amazon Root CA ├── cert_chain.pem # Certificate + Root CA ← Use this └── private_pkcs8.pem # Converted private key ← Use this ``` --- ## Quick Reference Card ### Tulip MQTT Configuration Summary | Setting | Value | | --- | --- | | **Host** | `[your-endpoint]-ats.iot.[region].amazonaws.com` | | **Port** | `8883` | | **Client ID** | `tulip-interface-client` | | **Topic** | `tulip/data` | | **Certificate** | `cert_chain.pem` | | **Private Key** | `private_pkcs8.pem` | | **CA Certificate** | `AmazonRootCA1.pem` | ### AWS Console Quick Links - [IoT Console](https://console.aws.amazon.com/iot/) - Main IoT management - [MQTT Test Client](https://console.aws.amazon.com/iot/home#/test) - Test messages - [CloudWatch Logs](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups) - View connection logs - [IAM Console](https://console.aws.amazon.com/iam/) - Manage roles and policies --- ## Success Indicators ### ✅ Connection Successful - Tulip Interface shows "Connected" status - Messages appear in AWS MQTT test client when subscribed to `tulip/data` - CloudWatch logs show successful `Publish-In` events ### ❌ Connection Failed - Check certificate files are correct format - Verify endpoint URL is exact match from AWS Console - Ensure port 8883 is used - Confirm client ID matches thing name exactly --- ## Security Best Practices 1. **Certificate Storage**: Store certificate files securely in Tulip 2. **Policy Refinement**: After testing, create more restrictive policies 3. **Monitoring**: Enable CloudWatch logging for production monitoring 4. **Regular Rotation**: Plan for certificate rotation (certificates expire in 2049) --- ## Support Resources - **AWS IoT Documentation**: [docs.aws.amazon.com/iot](https://docs.aws.amazon.com/iot/) - **Tulip Support**: Contact Tulip support for MQTT connector issues - **AWS Support**: Use AWS Support for IoT Core issues --- **Note**: This guide uses the AWS Console exclusively. For automation or scripting, refer to the CLI-based guide.