details on using AWS IoT with OwnTracks

[karlw00t]

After getting the AWS CLI set up, I ran the following commands to create a p12 file that I could put on my phone and use with OwnTracks on Android. Should work with iOS, didn't test it.

$ aws iot create-thing --thing-name phone
{
    "thingName": "phone",
    "thingArn": "arn:aws:iot:us-west-2:135081905160:thing/phone"
}
$ aws ito create-keys-and-certificate
$ aws iot create-keys-and-certificate --set-as-active --public-key-outfile public-key --private-key-outfile private-key --certificate-pem-outfile cert.pem
{
    "certificateArn": "arn:aws:iot:us-west-2:135081905160:cert/75cc4e8542182c260d3245cecb8",
    "certificateId": "75cc4e8542182c260d3245cecb8",
    "certificatePem": "snip",
    "keyPair": {
        "PublicKey": "snip",
        "PrivateKey": "snip"
    }
}
$ ls
awscli      cert.pem    private-key public-key
$ openssl pkcs12 -export -in cert.pem -inkey private-key -out private.p12
Enter Export Password:
Verifying - Enter Export Password:
$ ls
awscli      cert.pem    private-key private.p12 public-key
$ aws iot create-policy 
$ vim policy.json
$ aws iot create-policy --policy-name phone --policy-document "`cat policy.json`"
{
    "policyName": "phone",
    "policyArn": "arn:aws:iot:us-west-2:135081905160:policy/phone",
    "policyDocument": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"iot:*\",\n      \"Resource\": \"*\"\n    }\n  ]\n}",
    "policyVersionId": "1"
}
$ aws iot attach-principal-policy --principal arn:aws:iot:us-west-2:135081905160:cert/75cc4e8542182c260d3245cecb8 --policy-name phone
$ aws iot attach-thing-principal --thing-name phone --principal arn:aws:iot:us-west-2:135081905160:cert/75cc4e8542182c260d3245cecb8
$ aws iot describe-endpoint
{
    "endpointAddress": "identifier.iot.*region*.amazonaws.com"
}

I use this endpointAddress to construct the settings file:

{
    "_type":"configuration", 
    "mode":0, 
    "host": "identifier.iot.*region*.amazonaws.com",
    "port": 8883,
    "subQos":0,
    "pubQos":0, 
    "auth":false,
    "pubRetain":false, 
    "cleanSession":true, 
    "tls":true,
    "clientId":"phone"
}

I then use Google Drive to copy the privete.p12 file to my phone and the settings.json file.

The policy attached to this principal (the certificate) will allow your instance of own tracks to publish to any MQTT topic. This principal could get scoped down with a resource that would only allow it to post to the owntracks topic.

[iDVB]

Just came across this on my search for this very answer. 1) OwnTracks docs make reference to "AWS IOT does not support some MQTT features (notable retained messages), some OwnTracks features might not work as expected" For someone new to OT, what features would you be loosing?

2) Is using AWS IOT the current, arguably best, private setup for MQTT broker? I'd rather keep my data close but not willing to pay more then $4/month to do so.

[jpmens]

1. Retained messages are something our apps do by default. AWS IoT cannot handle them, so you cannot use the apps with that.
2. Definitely not IMO. Your best bet and the best and closest you can keep your data is hosting your own broker, e.g. Mosquitto at home for $0/month. :-)

[iDVB]

Thanks @jpmens. Ya, I figured that would be best. However, I'm guessing that requires me to expose my broker externally to the interwebs, something that needs a considerable amount of caution and care/know-how for it to be secure. Example, I'm currently using Hass.io and have chosen to not expose it directly and instead connect first to my home VPN.

Hosting my own broker would require me to ensure all devices have that vpn turned on all the time. (not ideal for the layman in my family)

Is "historical" data the only thing I lose with AWS IOT in OT? Cause I'm really only setting this up for use with presence detection for OT/Hass.io. I assumed it really only needs to know where clients are now , no?

[jpmens]

IIRC the clients won't work at all with AWS IoT, but things might have changed meanwhile. Test it and see.

[iDVB]

Weird, what would the purpose of this post be then? Sounds like @karlw00t was using the android app with AWS IOT? I've give it a go, but since its my first time with OT and AWS IOT I suspect it not to go without a hitch either way. :D

[binarybucks]

@jpmens for the record, clients do work with AWS IoT. Connection and pub/sub works fine. Just without retained messages. Hence clients will only see location updates that happen when they are connected.

Home Assistant keeps the connection open and should receive pubs just fine.

I don't know why one would want to use AWS IoT for this however. It costs money, is a cloud thing and setting up Mosquitto in a secure fashion and exposing it is easier than setting up a dedicated VPN for it. Keeping a VPN open all the time or negotiating a connection all the time is also not very friendly to the battery on mobile devices.

[iDVB]

@binarybucks Sorry, not sure I fully understand what solution you are suggesting is likely better/easier? Just host the mqtt broker at home, then expose it outside my router without vpn? What is the security method then?

Any help would be greatly appreciated. I'm not shy with setup, just with security issues. Example Hass.io has already seen people searching for device's fingerprints. Just trying to be smart with things.

[binarybucks]

host the mqtt broker at home, then expose it outside my router without vpn

Yes but only the broker and not Home Assistant

What is the security method then?

TLS, Authentication, ACLs

[jpmens]

@iDVB If you set up a Mosquito broker at home and use that for HASS, you could use it for OwnTracks apps as well. TLS protects the traffic in transit, and you could add TLS client certificates for authentication. We document this in our Booklet. (If you think it's not well described, we gladly accept pull requests for documentation also. :-)

[iDVB]

thanks @jpmens I may just do that. One last alternative thought though, I heard that some people we're using CloudMQTT as a bridge to their home hosted broker. However, I'm not sure how that changes things from just using CloudMQTT directly. (same data hosted there, same transfer restrictions/fees no?)

[chrisns]

@iDVB related to your suggestion I wrote https://github.com/chrisns/mqtt-encrypted-bridge which I use with cloudmqtt and vernemq

I plan on rewriting to work with aws iot and using some lambda and/or iot rules to handle republishing retained messages to device shadows.