Hello everyone & future me,
First off, I apologize for resurrecting an old thread. This particular discussion popped up during my search, and I thought it would be beneficial for others who might stumble upon it in the future. I’m not asserting this as a definitive guide, but I wanted to share my observations and steps that helped me set up Home Assistant with AWS IoT Core’s MQTT Broker in 2023. I hope it can be of help to someone else.
1. Introduction:
Before diving in, it’s essential to note that most of these settings need to be made through the Home Assistant UI, not directly in the configuration.yaml
(except for the specific instruction mentioned). Also, always consider enabling CloudWatch in AWS as it’s immensely helpful for debugging.
2. Prerequisites:
- A working Home Assistant setup.
- An AWS account with AWS IoT Core set up.
- MQTT installed in Home Assistant. You can do this via
Settings -> Devices & Services -> Add Integration
.
3. AWS IoT Core Settings:
3.1. Certificate and Thing Association:
Instead of using the “Connect a device” wizard in AWS, navigate to the IoT service → Security -> Certificates
. Here, opt for “Auto-generate” for the certificate creation. Once created, activate the certificate and download the “Device Certificate” and “Private key file”. You’ll later upload these files to Home Assistant during the MQTT client setup.
3.2. Security Policy Settings:
Set your policy to: IoTSecurityPolicy_TLS13_1_2_2022_10
.
3.3. Defining the Security Policy:
The accuracy of this policy is pivotal for the setup’s functionality. If you observe connection errors in CloudWatch, likely, the iot:Connect
action isn’t configured correctly. Authorization errors typically indicate issues with other parts of the policy. Ensure your policy paths are precise. Here’s a sample policy that’s quite permissive but functional:
jsonCopy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:[your-region]:[your-aws-account-id]:client/[your-client-id]"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive",
"iot:GetRetainedMessage",
"iot:RetainPublish"
],
"Resource": "arn:aws:iot:[your-region]:[your-aws-account-id]:topic/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:[your-region]:[your-aws-account-id]:topicfilter/*"
},
{
"Effect": "Allow",
"Action": "iot:ListRetainedMessages",
"Resource": "*"
}
]
}
4. Setting Up MQTT in Home Assistant:
With the necessary details and files from AWS in hand, proceed to set up the MQTT integration in Home Assistant:
- Navigate to
Settings -> Devices & Services -> Add Integration
and select MQTT.
- You’ll be presented with various fields to complete:
-
Broker:
[your-aws-broker-url]
(e.g., xxxxx-ats.iot.[your-region].amazonaws.com
)
-
Port:
8883
-
Username + Password: Leave these empty.
-
Client ID: Designate a unique ID for your client (e.g.,
clientXXXX
).
-
Broker certificate validation: Select
Auto
.
-
Ignore broker certificate validation: Deactivate this option.
-
MQTT protocol (version): Set to
5
.
-
MQTT Transport: Choose
TCP
. (WebSocket employs port 443
, but this wasn’t successful in tests.)
-
Discovery prefix: Decide on a prefix (e.g.,
myprefix
).
-
Enable birth message: Deactivate this setting.
-
Enable will message: Also deactivate this.
For the certificate files:
- First, enable the “Use a client certificate” option.
- Proceeding to the next step will display buttons for uploading the certificate files:
- Click “Upload client certificate file” to upload the “Device Certificate” from AWS.
- Use “Upload private key file” for the “Private key file” from AWS.
5. Configuring configuration.yaml
in Home Assistant:
After the MQTT UI setup, incorporate this minor addition to your configuration.yaml
:
yamlCopy code
mqtt_statestream:
base_topic: [your-discovery-prefix]
Post-change, execute a full restart of Home Assistant — a settings reload won’t suffice.
6. Testing the Setup:
For verification:
- In Home Assistant, go to
Settings -> Devices & Services -> MQTT -> Configure
. Under “Listen to a topic”, insert #
as the “Topic to subscribe to” and initiate “Start Listening”.
- Within AWS, access the “MQTT test client” and similarly subscribe to
#
.
- Messages can now be dispatched from either platform. Messages sent from Home Assistant should be visible in the AWS MQTT test client and vice versa.
7. Conclusion:
I trust that these insights might aid someone embarking on a similar integration journey. As technology continuously advances, it’s always wise to consult the most recent documentation when uncertain. If obstacles arise, AWS’s CloudWatch logs and the available testing tools in both AWS and Home Assistant are indispensable for troubleshooting.
Disclaimer: For live environments, it’s paramount to draft a more stringent security policy in AWS. The shared policy is illustrative and errs on the side of permissiveness to ensure operability. Always prioritize best practices when deploying in a real-world scenario.
Best wishes on your integration journey!
My dear thanks to ChatGPT who helped immensely with writing this forum post.