I have gone down the path of using an AWS IoT Custom Authorizer, and I'm 99% of the way there. The last thing I'm unable do via the Meraki console is to specify an ALPN [0] value as required by AWS IoT Custom Authorizer protocols. [1], [2], [3]. The following is an example command using `mosquitto_pub` to test that AWS IoT is reachable using only a CA Cert and a Custom Authorizer (no mTLS authorization though CA cert + device cert + device key): mosquitto_pub \
--tls-alpn mqtt \
--cafile AmazonRootCA1.pem \
-h ${IOT_ENDPOINT} \
-p 443 \
-t ${THE_TOPIC} \
-m "{\"msg\": \"hello IoT!\"}" \
-i ${CLIENT_ID} \
-u USER_NAME?x-amz-customauthorizer-name=${AUTHORIZER_NAME} \
-P ${PASSWORD} \
-d The crucial part that I'm unable to do via Meraki Console is the equivalent of `--tls-alpn mqtt`. A successful response looks like: Client ${CLIENT_ID} sending CONNECT
Client ${CLIENT_ID} received CONNACK (0)
Client ${CLIENT_ID} sending PUBLISH (d0, q0, r0, m1, '${THE_TOPIC}', ... (20 bytes))
Client ${CLIENT_ID} sending DISCONNECT I don't know how a big a request that is, but hopefully it can be added as an option soon, if mTLS is not planned to be supported. Links: [0]: https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation [1]: https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth.html#custom-auth-mqtt [2]: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html [3]: https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-why-it-is-useful-and-how-it-works/
... View more
