I have gone down the path of using an AWS IoT Custom Authorizer, and I'm 99% of the way there. The last thing I'm unable do via the Meraki console is to specify an ALPN [0] value as required by AWS IoT Custom Authorizer protocols. [1], [2], [3].
The following is an example command using `mosquitto_pub` to test that AWS IoT is reachable using only a CA Cert and a Custom Authorizer (no mTLS authorization though CA cert + device cert + device key):
mosquitto_pub \
--tls-alpn mqtt \
--cafile AmazonRootCA1.pem \
-h ${IOT_ENDPOINT} \
-p 443 \
-t ${THE_TOPIC} \
-m "{\"msg\": \"hello IoT!\"}" \
-i ${CLIENT_ID} \
-u USER_NAME?x-amz-customauthorizer-name=${AUTHORIZER_NAME} \
-P ${PASSWORD} \
-d
The crucial part that I'm unable to do via Meraki Console is the equivalent of `--tls-alpn mqtt`.
A successful response looks like:
Client ${CLIENT_ID} sending CONNECT
Client ${CLIENT_ID} received CONNACK (0)
Client ${CLIENT_ID} sending PUBLISH (d0, q0, r0, m1, '${THE_TOPIC}', ... (20 bytes))
Client ${CLIENT_ID} sending DISCONNECT
I don't know how a big a request that is, but hopefully it can be added as an option soon, if mTLS is not planned to be supported.
Links:
[0]: https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation
[1]: https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth.html#custom-auth-mqtt
[2]: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html
[3]: https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-why-it-is-useful-an...
