Controlled publish period


Hi there,

I’m trying to connect to the Amazon AWS platform with my ESP32 devkitC. So what I did was creating a “thing” in the AWS console (not within the command line interface), created the policy as shown in the instruction video, generated the certificates and linked and activated them, renamed them to private.pem.key and certificate.pem.crt. Also I entered the right cert_arn, endpoint, mqttid, policy_name and thingname in thing.conf.json.

But my thing (DevkitC ESP32) isn’t able to establish a connection to the AWS cloud… all I see in the serial console is: “connecting to mqtt broker…”, no messages are being published.

What can be wrong?

Thing.mqtt.connect() is generating exception - IOError at line 393 of mqtt.mqtt.connect

Do I need to do something with CA certificates? Not necessary right?

If I create the certifiates via the CLI I get the same result as decribed before. I followed these instructions:

Please help


Hi Marcel,

the CA is automatically handled by the library, what policy are you using? It is attached to your certificate?


Hi LorenzoR,

I’m using this policy:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": [

The policy is attached to the certificate as well the thing is attached to the certificate.


I followed all of the steps described here:

  • Installed AWS cli
  • configured AWS cli, also with IAM user
  • I’m able to add-things
  • created a policy as described above
  • attached the policy and thing to the certificate
  • filled in the endpoint and all information needed in thing.conf.json
  • entered my Wi-Fi settings

I don’t understand why it doesn’t work.


Hello Marcel,

it’s really strange, we currently use the ESP32 connected to AWS in several projects running with the latest VM updates.

One thing that I would try is to connect with that configuration (endpoint, certificate, private key) using a desktop client or a desktop Python script to achieve a running starting point and being sure of prepared configuration.

Let me know


Hi, thanks for your support!

Please have a look at my MQTT-SPY:

This just works fine?

With “with the latest VM updates” you mean “patch 01”?


Hi Marcel,

could you try to use the legacy certificate as CA certificate file? This is the default one used by the Zerynth AWS IoT library, it has always worked for us, but maybe it is not valid for some endpoints.

If this CA does not work with MQTT-SPY you could try to pass AmazonRootCA1.pem to the Zerynth AWS IoT MQTT Client like this:

amazon_root_ca1 = '''-----BEGIN CERTIFICATE-----

# ...
thing = iot.Thing(thing_conf['endpoint'], thing_conf['mqttid'], clicert, pkey, thingname=thing_conf['thingname'], cacert=amazon_root_ca1)
# ...

Yes, I mean r2.1.2p01 :slight_smile:



The legacy certificate as in your first proposal works! Thanks for sorting this out. :grinning:



One additional question: is it also possible to subscribe to a topic instead of only publishing messages?


Hi @Marcel,

of course it is possible to subscribe to topics :slight_smile:
The thing.mqtt variable represents a full mqtt client, take a look at our doc for available methods.