Route messages throughout a number of accounts with AWS IoT Core and Amazon SQS

Introduction

On this weblog, we clarify how you can route AWS IoT Core messages from a number of ingestion accounts to Amazon Easy Queue Service (Amazon SQS) in an information account. It’s a frequent sample to have IoT telemetry ingested into one account after which require it to be shipped to a different account for additional processing. For instance, when a corporation hosts units in a number of accounts and the info being ingested is assessed as each delicate and operational. Delicate information must be stored within the unique assortment account however operational information must be relayed to a different account monitored by an operations group.

You’ll discover ways to configure AWS IoT guidelines for cross-account entry to route MQTT matter information units into Amazon SQS. Guidelines for AWS IoT give your units the power to work together with AWS providers. You need to use guidelines to help duties resembling augmenting or filtering information from a tool, writing information to database, publishing messages to Amazon SQS and extra.  For an entire record of duties you may carry out, please consult with the Guidelines for AWS IoT part of the AWS IoT Core Developer Information.

Resolution Overview

On this answer, you’ll first create an Amazon SQS queue within the information account and grant permissions to the ingestion account to publish to it . Subsequent, you’ll create AWS IoT guidelines and ship messages to them to check.

1. Create an Amazon SQS queue referred to as iot-data within the information account and permit publishing to this queue from the ingestion account.
2. Within the ingestion account:
   a. Create an Identification and Entry Administration (IAM) function with a coverage that enables publishing to Amazon SQS within the information account.
   b. Create an IAM function with a coverage that enables a republish motion for errors encountered when publishing to the SQS queue.
3. Create an IoT rule within the ingestion account to guage messages from a subject referred to as information/personal and ship them to the info account SQS queue. The rule may have an error motion that republishes messages to the error/guidelines matter for troubleshooting.
4. Publish messages to the MQTT matter information/personal and confirm the messages are seen within the information account SQS queue.

Resolution Diagram

Resolution Directions

Stipulations

1. Two AWS accounts
2. Administrator privileges in each accounts
3. AWS Command Line Interface (AWS CLI)

Create an SQS queue within the information account

1. Create a file named queue_attributes.json with the next content material.

   { "MessageRetentionPeriod": "259200" }

2. With the AWS CLI configured for the info account and utilizing the create-queue.json file, create an SQS queue referred to as iot-data.

   aws sqs create-queue 
        --queue-name iot-data    
        --attributes file://queue_attributes.json

3. File the QueueURL from the output as that shall be wanted within the subsequent part.
4. To grant permissions for the Amazon SQS queue useful resource to be accessed by the ingestion account, run the add-permission command. You’ll want to replace the account numbers accordingly.

   aws sqs add-permission 
        --queue-url https://sqs.<information account area>.amazonaws.com/<information account ID>/iot-data 
        --label IoTSendMessage 
        --aws-account-ids <ingestion account ID> 
        --actions SendMessage

Create the AWS Identification and Entry Administration (IAM) function and coverage for cross-account publishing to SQS

So as to publish to the SQS queue from the info account, you first want to permit that motion.

1. Create a file named iot_policy.json with the next content material:

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "iot.amazonaws.com"
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }

2. With the AWS CLI configured for the ingestion account, run the next command to create a job referred to as iot-cross-sqs-allow and fasten the belief coverage to permit it to work together with IoT.

   aws iam create-role  
        --role-name iot-cross-sqs-allow  
        --assume-role-policy-document file://iot_policy.json

3. Overview the output and guarantee it’s right:

   {
       "Function": {
           "Path": "/",
           "RoleName": "iot-cross-sqs-allow",
           "RoleId": "XXXXXXXXXXXXXXXXXXXXX",
           "Arn": "arn:aws:iam::XXXXXXXXXXXX:function/iot-cross-sqs-allow",
           "CreateDate": "2022-09-07T05:05:58+00:00",
           "AssumeRolePolicyDocument": {
               "Model": "2012-10-17",
               "Assertion": [
                   {
                       "Effect": "Allow",
                       "Principal": {
                           "Service": "iot.amazonaws.com"
                       },
                       "Action": "sts:AssumeRole"
                   }
               ]
           }
       }
   }

4. Create a file referred to as allow_send_cross_sqs.json with the next content material. For the useful resource ARN, make sure to replace with the area and account ID of the info account.

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Effect": "Allow",
               "Action": "sqs:SendMessage",
               "Resource": "arn:aws:sqs:<data account region>:<data account ID>:iot-data"
           }
       ]
   }

5. Add this practice inline coverage to the function you created within the earlier step through the use of the next command:

   aws iam put-role-policy 
        --role-name iot-cross-sqs-allow 
        --policy-name new-iot-cross-sqs-policy 
        --policy-document file://allow_send_cross_sqs.json

Create the AWS IAM function and coverage to permit republishing of errors

When republishing messages with an AWS IoT rule, permissions should be correctly set to permit this motion.

1. With the AWS CLI configured for the ingestion account and utilizing the identical file created earlier, create a brand new function referred to as iot-republish:

   aws iam create-role 
        --role-name iot-republish 
        --assume-role-policy-document file://iot_policy.json
   

2. Overview the output and guarantee it’s right:

   {
       "Function": {
           "Path": "/",
           "RoleName": "iot-republish",
           "RoleId": "XXXXXXXXXXXXXXXXXXXXX",
           "Arn": "arn:aws:iam::XXXXXXXXXXXX:function/iot-republish",
           "CreateDate": "2022-09-07T05:24:36+00:00",
           "AssumeRolePolicyDocument": {
               "Model": "2012-10-17",
               "Assertion": [
                   {
                       "Effect": "Allow",
                       "Principal": {
                           "Service": "iot.amazonaws.com"
                       },
                       "Action": "sts:AssumeRole"
                   }
               ]
           }
       }
   }

3. Subsequent create a file referred to as allow_republish.json with the next content material. Please notice that this coverage restricts publishing to matter names beginning with errors. You’ll want to replace with the area and account ID of the ingestion account.

   {
       "Model": "2012-10-17",
       "Assertion": {
           "Impact": "Enable",
           "Motion": "iot:Publish",
           "Useful resource": "arn:aws:iot:<ingestion account area>:<ingestion account ID>:errors/*"
       }
   }
   

4. Add the coverage simply created as an inline coverage to the iot-republish function:

   aws iam put-role-policy 
        --role-name iot-republish 
        --policy-name iot-republish 
        --policy-document file://allow_republish.json
   

Create an IoT rule within the ingestion account to guage messages and republish errors

Subsequent, we’ll create the IoT rule that can route messages to the SQS queue within the and likewise republish any messages that encounter an error to a subject named error/guidelines.

1. Create a file named ingestion_rule.json with the next content material. You’ll want to replace the queueURL and roleArn values with these acquired in earlier steps.

   {
   "sql": "SELECT * FROM 'information/personal'" ,
   "description": "Cross-account publishing of messages to SQS.",
   "ruleDisabled": false,
   "awsIotSqlVersion": "2016-03-23",
   "actions": [{
       "sqs": {
           "roleArn": "<iot-cross-sqs-allow role ARN>",
           "queueUrl": "https://sqs.<data account region>.amazonaws.com/<data account ID>/iot-data",
           "useBase64": true
       }
   }], 
   "errorAction": {
       "republish": {
         "roleArn": "<iot-republish function ARN>",
         "matter": "error/guidelines",
         "qos": 0
       }
     }
   }

2. With the AWS CLI configured for the ingestion account, create an IoT rule for the publishing of message to SQS within the information account:

   aws iot create-topic-rule 
        --rule-name "cross_account_sqs_publish" 
        --topic-rule-payload file://ingestion_rule.json

Publish messages and confirm they’re seen within the information account SQS queue

To check the answer, you may publish a message to AWS IoT Core and see if it arrives efficiently within the information account SQS queue.

1. From the ingestion account, use the AWS IoT MQTT consumer to subscribe to the information/personal and error/guidelines matters.
2. Persevering with with the AWS MQTT IoT consumer, publish a message to the information/personal matter with a pattern payload:

   {
       "message": "Hi there, world",
       "clientType": "MQTT consumer"
   }
   

3. Retrieve messages from the SQS queue and evaluation the output by configuring the AWS CLI for the info account and working the next command.

   aws sqs receive-message 
       --queue-url https://sqs.<information account area>.amazonaws.com/<information account ID>/iot-data
   

   The Physique parameter of the output could also be Base64 encoded. If that’s the case, you have to to decode it to see the contents of the printed message

4. If messages aren’t being acquired within the SQS queue, examine the error/guidelines matter subscription for error messages associated to supply from the AWS MQTT IoT consumer within the ingestion account.

Cleansing Up

It’s good follow to wash up any sources you not wish to use. Cleansing up AWS sources prevents your account from incurring any additional expenses.

1. Delete the SQS queue:

   aws sqs delete queue 
      --queue-url https://sqs.<information account area>.amazonaws.com/<information account ID>/iot-data

2. Delete the iot-cross-sqs-all IAM function:

   aws iam delete-role-policy 
        --role-name iot-cross-sqs-all 
        --policy-name iot-cross-sqs-all
   
   aws iam delete-role --role-name iot-cross-sqs-all
   

3. Delete the iot-republish function:

   aws iam delete-role-policy 
        --role-name iot-republish 
        --policy-name iot-republish
   
   aws iam delete-role --role-name iot-republish
   

4. Delete the cross_account_sqs_publish matter rule:

   aws iot delete-topic-rule 
        --rule-name cross_account_sqs_publish

Conclusion

On this weblog we  defined how you can route AWS IoT messages from an ingestion account to Amazon SQS in an information account. We’ve proven you one sample that enables for segmentation of a delicate system and operational information inside separate accounts. For additional examples on how you can carry out cross-account message routing with different AWS providers, please try the associated documentation within the AWS Developer Information.

Authors