PKCS #12 Connect Sample

March 28, 2025 · View on GitHub

This sample demonstrates how to establish an MQTT connection with the AWS IoT Core message broker using a PKCS #12 file.

Before Running the Sample

Setup an AWS Account:

If you don't have an AWS account, complete these steps to create one. This will provide you with an account specific endpoint.

Understand IoT:

The What is AWS IoT developer guide will help you understand IoT.

Required Arguments:

endpoint - account specific endpoint
pkcs12-path - Path to PKCS #12 file
pkcs12-password - PKCS #12 password

Optional Arguments:

client-id - Mqtt5 client id to use. If not provided, "test-" will be used.

Build the sample

// The sample should be built from the sample's folder
cd aws-iot-device-sdk-swift/Samples/Mqtt5ConnectionSamples/Pkcs12Connect

// build the sample
swift build

Run the sample

swift run Pkcs12Connect \
    --endpoint <endpoint> \
    --pkcs12-path <pkcs12-path> \
    --pkcs12-password <pkcs12-password>

To enable logging in the samples, you must add the following line after initializing IotDeviceSdk. The logger level has the following options: trace, debug, info, warn, error, fatal, or none.

// The IoT Device SDK must be initialized before it is used.
IotDeviceSdk.initialize();

// This will turn on SDK and underlying CRT logging to assist in troubleshooting.
try Logger.initialize(target: .standardOutput, level: .debug)

I'm getting error code 5134: AWS_ERROR_MQTT_UNEXPECTED_HANGUP

This error is most likely due to your AWS IoT Core thing's policy. The policy must provide privileges for this sample to connect. The following is a sample policy that can be used on your AWS IoT Core thing that allows this sample to run as intended.

For the purposes of this sample, make sure your policy allows a client ID of test-* to connect or use the --client_id <client ID here> argument to use a client ID that your policy supports.

(see sample policy)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:<b>region</b>:<b>account</b>:client/test-*"
      ]
    }
  ]
}

Replace the following with the data from your AWS account:

<region>: The AWS Region where you created the AWS IoT Core thing you wish to use with this sample. For example, us-east-1. For more information, see AWS IoT Core endpoints.
<account>: Your AWS account ID. For more information, see View AWS account identifiers

Note: In a real application, you might want to avoid the use of wildcards in your policy or use them selectively. Follow best practices when using the SDK to work with AWS on production applications.

Error: unable to create symlink aws-common-runtime/config/s2n: Permission denied

If you encounter a "s2n Permission Denied" error, it's likely because you're attempting to use an unsupported platform. s2n-tls is a Unix-specific library.

The AWS IoT Device SDK for Swift supports the following platforms:

macOS
iOS
tvOS
Linux

Other Resources

Check out our resources to learn more: