awsiot.mqtt_connection_builder

Builder functions to create a awscrt.mqtt.Connection, configured for use with AWS IoT Core. The following keyword arguments are common to all builder functions:

Required Keyword Arguments:

endpoint (str): Host name of AWS IoT server.

client_id (str): ID to place in CONNECT packet. Must be unique across all devices/clients.

If an ID is already in use, the other client will be disconnected.

Optional Keyword Arguments (omit, or set None to get default value):

client_bootstrap (awscrt.io.ClientBootstrap): Client bootstrap used to establish connection.

The ClientBootstrap will default to the static default (Io.ClientBootstrap.get_or_create_static_default) if the argument is omitted or set to ‘None’.

on_connection_interrupted (Callable): Callback invoked whenever the MQTT connection is lost.

The MQTT client will automatically attempt to reconnect. The function should take the following arguments return nothing:

on_connection_resumed (Callable): Callback invoked whenever the MQTT connection

is automatically resumed. Function should take the following arguments and return nothing:

  • connection (awscrt.mqtt.Connection): This MQTT Connection

  • return_code (awscrt.mqtt.ConnectReturnCode): Connect return code received from the server.

  • session_present (bool): True if resuming existing session. False if new session. Note that the server has forgotten all previous subscriptions if this is False. Subscriptions can be re-established via resubscribe_existing_topics().

  • **kwargs (dict): Forward-compatibility kwargs.

on_connection_success (Callable): Optional callback invoked whenever the connection successfully connects.

The function should take the following arguments and return nothing:

on_connection_failure (Callable): Optional callback invoked whenever the connection fails to connect.

The function should take the following arguments and return nothing:

on_connection_closed (Callable): Optional callback invoked whenever the connection has been disconnected and shutdown successfully.

The function should take the following arguments and return nothing:

clean_session (bool): Whether or not to start a clean session with each reconnect.

If True, the server will forget all subscriptions with each reconnect. Set False to request that the server resume an existing session or start a new session that may be resumed after a connection loss. The session_present bool in the connection callback informs whether an existing session was successfully resumed. If an existing session is resumed, the server remembers previous subscriptions and sends mesages (with QoS1 or higher) that were published while the client was offline.

reconnect_min_timeout_secs (int): Minimum time to wait between reconnect attempts.

Must be <= reconnect_max_timeout_secs. Wait starts at min and doubles with each attempt until max is reached.

reconnect_max_timeout_secs (int): Maximum time to wait between reconnect attempts.

Must be >= reconnect_min_timeout_secs. Wait starts at min and doubles with each attempt until max is reached.

keep_alive_secs (int): The keep alive value, in seconds, to send in CONNECT packet.

A PING will automatically be sent at this interval. The server will assume the connection is lost if no PING is received after 1.5X this value. Default is 1200sec (20 minutes). This duration must be longer than ping_timeout_ms.

ping_timeout_ms (int): Milliseconds to wait for ping response before client assumes

the connection is invalid and attempts to reconnect. Default is 3000ms (3 seconds). This duration must be shorter than keep_alive_secs.

protocol_operation_timeout_ms (int): Milliseconds to wait for the response to the operation

requires response by protocol. Set to zero to disable timeout. Otherwise, the operation will fail if no response is received within this amount of time after the packet is written to the socket It applied to PUBLISH (QoS>0) and UNSUBSCRIBE now.

will (awscrt.mqtt.Will): Will to send with CONNECT packet. The will is

published by the server when its connection to the client is unexpectedly lost.

username (str): Username to connect with.

password (str): Password to connect with.

port (int): Override default server port.

Default port is 443 if system supports ALPN or websockets are being used. Otherwise, default port is 8883.

tcp_connect_timeout_ms (int): Milliseconds to wait for TCP connect response. Default is 5000ms (5 seconds).

ca_filepath (str): Override default trust store with CA certificates from this PEM formatted file.

ca_dirpath (str): Override default trust store with CA certificates loaded from this directory (Unix only).

ca_bytes (bytes): Override default trust store with CA certificates from these PEM formatted bytes.

enable_metrics_collection (bool): Whether to send the SDK version number in the CONNECT packet.

Default is True.

http_proxy_options (:class: ‘awscrt.http.HttpProxyOptions’): HTTP proxy options to use

awsiot.mqtt_connection_builder.mtls_from_path(cert_filepath, pri_key_filepath, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an mTLS MQTT connection to AWS IoT. TLS arguments are passed as filepaths.

This function takes all common arguments described at the top of this doc, as well as…

Keyword Arguments:

  • cert_filepath (str) – Path to certificate file.

  • pri_key_filepath (str) – Path to private key file.

Return type:

Connection

awsiot.mqtt_connection_builder.mtls_from_bytes(cert_bytes, pri_key_bytes, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an mTLS MQTT connection to AWS IoT. TLS arguments are passed as in-memory bytes.

This function takes all common arguments described at the top of this doc, as well as…

Keyword Arguments:

  • cert_bytes (bytes) – Certificate file bytes.

  • pri_key_bytes (bytes) – Private key bytes.

Return type:

Connection

awsiot.mqtt_connection_builder.mtls_with_pkcs11(*, pkcs11_lib, user_pin, slot_id=None, token_label=None, private_key_label=None, cert_filepath=None, cert_bytes=None, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an mTLS MQTT connection to AWS IoT, using a PKCS#11 library for private key operations.

NOTE: Unix only

This function takes all common arguments described at the top of this doc, as well as…

Parameters:

  • pkcs11_lib (Pkcs11Lib) – Use this PKCS#11 library

  • user_pin (str) – User PIN, for logging into the PKCS#11 token. Pass None to log into a token with a “protected authentication path”.

  • slot_id (int | None) – ID of slot containing PKCS#11 token. If not specified, the token will be chosen based on other criteria (such as token label).

  • token_label (str | None) – Label of the PKCS#11 token to use. If not specified, the token will be chosen based on other criteria (such as slot ID).

  • private_key_label (str | None) – Label of private key object on PKCS#11 token. If not specified, the key will be chosen based on other criteria (such as being the only available private key on the token).

  • cert_filepath (str | None) – Use this X.509 certificate (file on disk). The certificate must be PEM-formatted. The certificate may be specified by other means instead (ex: cert_bytes)

  • cert_bytes (Optional[Union[str, bytes, bytearray]]) – Use this X.509 certificate (contents in memory). The certificate must be PEM-formatted. The certificate may be specified by other means instead (ex: cert_filepath)

Return type:

Connection

awsiot.mqtt_connection_builder.mtls_with_pkcs12(*, pkcs12_filepath, pkcs12_password, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an mTLS MQTT connection to AWS IoT, using a PKCS#12 certificate.

NOTE: MacOS only

This function takes all common arguments described at the top of this doc, as well as…

Parameters:

  • pkcs12_filepath (str) – Path to the PKCS12 file to use

  • pkcs12_password (str) – The password for the PKCS12 file.

Return type:

Connection

awsiot.mqtt_connection_builder.mtls_with_windows_cert_store_path(*, cert_store_path, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an mTLS MQTT connection to AWS IoT, using a client certificate in a Windows certificate store.

NOTE: Windows only

This function takes all common arguments described at the top of this doc, as well as…

Parameters:

cert_store_path (str) – Path to certificate in a Windows certificate store. The path must use backslashes and end with the certificate’s thumbprint. Example: CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6

Return type:

Connection

awsiot.mqtt_connection_builder.websockets_with_default_aws_signing(region, credentials_provider, websocket_proxy_options=None, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an MQTT connection over websockets to AWS IoT. The websocket handshake is signed using credentials from the credentials_provider.

This function takes all common arguments described at the top of this doc, as well as…

Keyword Arguments:
Return type:

Connection

awsiot.mqtt_connection_builder.websockets_with_custom_handshake(websocket_handshake_transform, websocket_proxy_options=None, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an MQTT connection over websockets, with a custom function to transform the websocket handshake request before it is sent to the server.

This function takes all common arguments described at the top of this doc, as well as…

Keyword Arguments:

  • websocket_handshake_transform (Callable) –

    Function to transform websocket handshake request. If provided, function is called each time a websocket connection is attempted. The function may modify the HTTP request before it is sent to the server. See awscrt.mqtt.WebsocketHandshakeTransformArgs for more info. Function should take the following arguments and return nothing:

  • websocket_proxy_options (awscrt.http.HttpProxyOptions) – Deprecated, for proxy settings use http_proxy_options (described in common arguments)

Return type:

Connection

awsiot.mqtt_connection_builder.direct_with_custom_authorizer(auth_username=None, auth_authorizer_name=None, auth_authorizer_signature=None, auth_password=None, auth_token_key_name=None, auth_token_value=None, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an MQTT connection using a custom authorizer using a direct MQTT connection. This function will set the username, port, and TLS options.

This function takes all common arguments described at the top of this doc, as well as…

Keyword Arguments:

  • auth_username (str) – The username to use with the custom authorizer. If provided, the username given will be passed when connecting to the custom authorizer. If not provided, it will check to see if a username has already been set (via username=”example”) and will use that instead. Custom authentication parameters will be appended as appropriate to any supplied username value.

  • auth_password (str) – The password to use with the custom authorizer. If not provided, then no password will be sent in the initial CONNECT packet.

  • auth_authorizer_name (str) – Name of the custom authorizer to use. Required if the endpoint does not have a default custom authorizer associated with it. It is strongly suggested to URL-encode this value; the SDK will not do so for you.

  • auth_authorizer_signature (str) – The digital signature of the token value in the auth_token_value parameter. The signature must be based on the private key associated with the custom authorizer. The signature must be base64 encoded. Required if the custom authorizer has signing enabled.

  • auth_token_key_name (str) – Key used to extract the custom authorizer token from MQTT username query-string properties. Required if the custom authorizer has signing enabled. It is strongly suggested to URL-encode this value; the SDK will not do so for you.

  • auth_token_value (str) – An opaque token value. This value must be signed by the private key associated with the custom authorizer and the result passed in via the auth_authorizer_signature parameter. Required if the custom authorizer has signing enabled.

Return type:

Connection

awsiot.mqtt_connection_builder.websockets_with_custom_authorizer(region=None, credentials_provider=None, auth_username=None, auth_authorizer_name=None, auth_authorizer_signature=None, auth_password=None, auth_token_key_name=None, auth_token_value=None, **kwargs)

This builder creates an awscrt.mqtt.Connection, configured for an MQTT connection using a custom authorizer using websockets. This function will set the username, port, and TLS options.

This function takes all common arguments described at the top of this doc, as well as…

Keyword Arguments:

  • region (str) – AWS region to use when signing.

  • credentials_provider (awscrt.auth.AwsCredentialsProvider) – Source of AWS credentials to use when signing.

  • auth_username (str) – The username to use with the custom authorizer. If provided, the username given will be passed when connecting to the custom authorizer. If not provided, it will check to see if a username has already been set (via username=”example”) and will use that instead. Custom authentication parameters will be appended as appropriate to any supplied username value.

  • auth_password (str) – The password to use with the custom authorizer. If not provided, then no password will be sent in the initial CONNECT packet.

  • auth_authorizer_name (str) – Name of the custom authorizer to use. Required if the endpoint does not have a default custom authorizer associated with it. It is strongly suggested to URL-encode this value; the SDK will not do so for you.

  • auth_authorizer_signature (str) – The digital signature of the token value in the auth_token_value parameter. The signature must be based on the private key associated with the custom authorizer. The signature must be base64 encoded. Required if the custom authorizer has signing enabled.

  • auth_token_key_name (str) – Key used to extract the custom authorizer token from MQTT username query-string properties. Required if the custom authorizer has signing enabled. It is strongly suggested to URL-encode this value; the SDK will not do so for you.

  • auth_token_value (str) – An opaque token value. This value must be signed by the private key associated with the custom authorizer and the result passed in via the auth_authorizer_signature parameter. Required if the custom authorizer has signing enabled.

Return type:

Connection

awsiot.mqtt_connection_builder.new_default_builder(**kwargs)

This builder creates an awscrt.mqtt.Connection, without any configuration besides the default TLS context options.

This requires setting the connection details manually by passing all the necessary data in common arguments to make a connection.

Return type:

Connection