Connecting to AWS IOT using Custom Authorizer and use MQTT Username Password

Question

I want to connect to AWS IOT using username and password and send data on topic. I read about it on AWS IOT documentation that we can achieve this using Custom Authentication: https://docs.aws.amazon.com/iot/latest/developerguide/custom-authentication.html

I followed the documentation and:

1. Created Custom Authentication Lambda
2. Created Custom Authorizer in AWS IOT using Lambda ARN
3. Added Custom Authorizer to invoke the lambda function.
4. Tested Custom Authorizer using aws iot test-invoke-authorizer

I was able to test the lambda with aws int test-invoke-authorizer for MQTT context.

But when I try to connect/publish to AWS IOT using username password It fails. I followed as per below documentation.

Here is the command which I use to connect AWS IOT using mosquito.org cli

 mosquitto_pub -p 443 -i 'sample'  -h XXXXXXXXXX.iot.ap-south-1.amazonaws.com -u "username?x-amz-customauthorizer-name=my-new-authorizer" -P "dGVzdA==" -t test/hello -m "Hello World" -d

The error which I received is following

Client sample sending CONNECT
Error: Unknown error.

NOTE: I am not passing token and signature as mentioned in the documentation as I have disabled it in lambda.

Any help really appreciated.

Answer 1

I got reply from AWS premium support and as per them we have to include APLN while issuing command. additionally we have to also provide AmazonRootCA1.pem

mosquitto_pub -p 443 -i 'sample' -h XXXX-ats.iot.ap-south-1.amazonaws.com -u "username?x-amz-customauthorizer-name=my-new-authorizer" -P "test" -t test/hello -m "Hello World" --tls-alpn mqtt --cafile AmazonRootCA1.pem -d

Note: they have suggested following options:

--cafile AmazonRootCA1.pem

--tls-alpn mqtt

You can download cert from this link:

https://www.amazontrust.com/repository/AmazonRootCA1.pem