The AWS IoT FUSE client is a Java application that provides easy access to the AWS IoT service through Filesystem in Userspace (FUSE). It supports access to AWS IoT things, certificates,
policies, rules, shadow documents and MQTT pub/sub messages. Unlike the AWS CLI, the FUSE client exposes access through the UNIX filesystem interface, so users don't need to memorize
or type complex commands. For example, to list all of the things under an AWS account, you just type ls things
.
The AWS IoT FUSE client is a cross-platform application, built indirectly on libfuse through an intermediate JNA library, fuse-jna. It supports Linux, Macintosh, and, potentially, other UNIX systems that have FUSE support.
To use the FUSE client, you will need the following:
- A recent version of Linux or Mac OS X
- Java Runtime Environment (JRE) or Java Development Kit (JDK) 1.7 or later
- An AWS account
- libfuse (FUSE can be found in most Linux distributions. For Mac OS X, you can download it here)
You can either download the pre-built binary package here or check out the code from GitHub.
Extract the binary package to a local directory like the following:
$ tar -zxvf ~/Downloads/aws-iot-fuse-LATEST-binary.tar.gz
To build the FUSE client from the source, use the following commands:
$ git clone https://github.com/awslabs/aws-iot-fuse.git
$ cd aws-iot-fuse
$ mvn clean package
Binary packages will be created under the target
directory after the build.
To mount the FUSE filesystem, you will need an AWS Identity and Access Management (IAM) user, new or existing, who has access to the AWS IoT service. The IAM user must be attached with a policy that enables the user to access the AWS IoT service. You can attach a policy like the following to grant full access to the IAM user, or you can use a more restrictive policy. If you use a restrictive policy, the actions supported by the filesystem may be limited.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": "*"
}
]
}
After you extract the binary package, you will find the FUSE client, mount-iot-fuse
, under the scripts
directory.
You must set up the IAM user and attach the access policy before you execute the client script.
$ scripts/mount-iot-fuse -dest <mount-point> -region <aws-region> [-access-key-id <access-key-id>] [-secret-access-key <secret-access-key>] [-certificate <certificate-file>] [-private-key <private-key-file>] [-topic <topic>]...
-
-dest <mount-point>
The directory where the FUSE filesystem is mounted. You must have write permission to this directory. -
-region <aws-region>
The name of the AWS region (for example, us-east-1 or eu-west-1). -
-access-key-id <access-key-id>
and-secret-access-key <secret-access-key>
(optional) The IAM credentials used for connecting to the AWS IoT service. If not provided, the default IAM credentials (configured throughaws configure
) will be used. You can download the AWS CLI here. -
-certificate <certificate-file>
and-private-key <private-key-file>
(optional) The client certificate file used for connecting to the AWS IoT service through MQTT. If you do not provide a client certificate file and the filesystem needs to access through MQTT (for example, when-topic <topic>
is specified), a WebSocket-based MQTT connection will be established using the same IAM credentials provided through-access-key-id
and-secret-access-key
oraws configure
. -
-topic <topic>
The topic that the client will subscribe to. You can specify multiple topic arguments if you want to subscribe to multiple topics. There is a limit of 50 subscriptions per MQTT connection. Because the client uses a few subscriptions to support the shadow operations, the maximum number of topic arguments supported here will be less than 50.
The following is an example of mounting the FUSE filesystem to a local directory called iot-fs
in the us-east-1 region. The example uses the default IAM user credentials configured earlier through aws configure
.
$ mkdir ~/iot-fs
$ scripts/mount-iot-fuse -dest ~/iot-fs -region us-east-1 -topic my/topic
After the client script is running, a directory structure similar to the following will show up under the iot-fs
directory.
iot-fs
|---- certificates
| |---- b42f389d62d9f0a3e20b23bbb6f95959e2257aaf842ff59d60b76af0ee1d810d
| |---- arn
| |---- id
| |---- policies
| | |---- kitchen-light-Policy -> ../../../policies/kitchen-light-Policy
| |---- status
|---- endpoint
|---- policies
| |---- kitchen-light-Policy
| |---- arn
| |---- document
| |---- versions
| |---- 1
| |---- default -> 1
|---- rules
| |---- test_sqs
| |---- actions
| | |---- sqs
| | |---- queue-url
| | |---- role-arn
| | |---- use-base64
| |---- arn
| |---- rule-pattern
| |---- sql
| |---- status
|---- things
| |---- kitchen-light
| | |---- principals
| | | ----- b42f389d62d9f0a3e20b23bbb6f95959e2257aaf842ff59d60b76af0ee1d810d -> ../../../certificates/b42f389d62d9f0a3e20b23bbb6f95959e2257aaf842ff59d60b76af0ee1d810d
| | |---- state
| |---- thing2
| |---- principals
| |---- state
----- topics
|---- my_topic
|---- messages
|---- publish
The filesystem includes things, certificates, policies, and rules you have under your AWS account in the specified region. Each of these entities is a directory, under which there are subdirectories or files that contain more information. Under the topics directory, you will find a subdirectory called *** messages***, which contains all of the incoming messages to the corresponding topic. A lot of these directories and files support read, write, and delete; some even support symbolic links. For some common actions you can perform on the filesystem, see the Examples section.
To umount the filesystem, you can simply terminate the client by pressing Ctrl-C
in the
client terminal. Most of the time, the filesystem will be umounted automatically, but you can run the following command to force an unmount:
$ cd
(It's important to set your current directory to be outside the FUSE filesystem so you won't get resource busy error when you unmount)
$ sudo umount -f ~/iot-fs
You can list, create, and delete things like this:
$ cd things
$ ls
(list all the things)
$ mkdir my-first-thing
(create a thing named "my-first-thing")
$ rm -rf my-first-thing
(delete the thing named "my-first-thing")
You can list, create, and delete policies like this:
$ cd policies
$ ls
(list all the policies)
$ mkdir my-first-policy
(create a policy named "my-first-policy")
$ rm -rf my-first-policy
(delete the policy named "my-first-policy")
When a policy is created, it's not attached to any certificates. The default
policy document is an allow-all policy. You can edit the policy document by
editing the policy document file document
. For examples, see this section.
You can list, create, and delete certificates like this:
$ cd certificates
$ ls
(list all the certificates)
$ mkdir my-first-certificate
(create a certificate named "my-first-certificate")
$ rm -rf my-first-thing
(delete the certificate named "my-first-certificate")
For certificates created using the preceding mkdir
method, you can find the
X.509 certificate and the private and public keys under the certificate directory. They are persisted
in the client heap only, and will be lost if you unmount the filesystem. Make sure to copy them
to safe and permanent storage before you unmount the filesystem.
Although you use the name to reference the certificate in the FUSE filesystem, the name is not persisted on the AWS IoT service end. It cannot be used anywhere other than the mounted filesystem. The name will be lost after you unmount the filesystem, but the certificate and its linked policies and things won't be affected.
You can list, create, and delete rules like this:
$ cd rules
$ ls
(list all the rules)
$ mkdir my-first-rule
(create a rule named "my-first-rule")
$ rm -rf my-first-rule
(delete the rule named "my-first-rule")
By using symbolic links, you can attach policies to certificates and certificates to things.
$ cd iot/certificates/my-first-certificate/policies
$ ln -s ../../../my-first-policy .
(This attaches my-first-policy to my-first-certificate, and now the certificate has the permissions granted by the policy)
$ cd iot/things/my-first-thing/principals
$ ln -s ../../../my-first-certificate .
(This attaches my-first-certificate to my-first-thing, and now the thing has the permissions granted by my-first-policy)
Similarly, you can remove these relationships just by removing the symbolic links:
$ cd iot/certificates/my-first-certificate/policies
$ rm my-first-policy
(This detaches my-first-policy from my-first-certificate)
$ cd iot/things/my-first-thing/principals
$ rm my-first-certificate
(This detaches my-first-certificate from my-first-thing)
The topics you specified on the command line when you mounted the filesystem are under the topics
directory. Forward slashes (/)
in the topics are replaced with underscores (_) so they won't be misinterpreted as directory separators.
Incoming messages for the topic are under the messages
subdirectory. The file creation timestamp is set to the time the message
is received. The messages are stored in the heap of the FUSE application, so when the filesystem is unmounted, those
messages will be lost.
To publish a message to the topic, you can write to the publish
file under the same directory. All writes to
that file will be buffered in memory. They are published in one message only when close(2)
is called. For that reason, the
maximum file size of publish
is 128,000 bytes, the maximium message size supported. Messages published
through the publish
file will also show up in the messages
subdirectory because the client subscribes to the same topic.
$ cd iot/topics/my_topic
$ echo "my first message\n\n hello world" > publish
(This publishes a multi-line messages)
$ cat /tmp/my-photo.jpg > publish
(This publishes a binary message. Remember the 128k bytes limit.)
$ ls -ltr messages
(List received messages in reversed time order - last received at the bottom)
$ grep "ERROR" messages
(Grep the mssages to find ones containing text "ERROR")
$ cat messages/<message-uuid>
(Print message content)
$ rm messages/*
(Remove all the messages to reduce the application's memory usage).
For each thing under the things
directory, there's a file named state
. You can use this file
to create or update the shadow document. Update document request is sent only when close(2)
is called on
the file descriptor. Keep in mind that the total size limit of the shadow document is 4,000 bytes.
The shadow document returned by reading the state
file contains data and metadata of the document in JSON format.
When updating the shadow document (the state
file), make sure the entire file is properly formatted
in JSON. Otherwise, you may receive an I/O error when you try to update the file.
$ cd iot/things/my_first_things
$ cat state
(This prints the thing's shadow document)
$ echo '{"state":{"desired":{"switch_state":"on"},"reported":{"switch_state":"on"}}}' > state
(This updates the thing's shadow document)
Here are some other ways you can use the FUSE filesystem.
- Print the endpoint
$ cd ~/iot-fs
$ cat endpoint
- Update the policy document
$ cd ~/iot-fs/policies/my-first-policy
$ echo "{"Version":"2012-10-17","Statement":[{"Action":["iot:*"],"Resource":["*"],"Effect":"Deny"}]}" > document
(a new policy document verion will be created under the directory versions)
$ cd versions
$ ln -sf 2 default
(Make version 2 of the document as the default version)
- Update the rule SQL
$ cd ~/iot-fs/rules/my-first-rule
$ echo "SELECT * FROM 'sdkTest/sub'" > sql
- If I create or delete things, rules, or certificates and so on, will they show up in the FUSE filesystem after it has been mounted?
Yes, they will show up after a preconfigured delay, generally one or two minutes. The FUSE filesystem will periodically refresh its local copies so it won't become too out-of-sync with the entites in the AWS IoT service.
- Can other users on the same machine see my data under the FUSE filesystem?
No, access to the mounted FUSE filesystem is restricted to the user who mounted it. No one, including
root
, will be able to access the directories and files under the FUSE filesystem.
- How do I increase the maximum heap size of the application?
You can specify extra JVM arguments through environment variable JVM_ARGS
like so,
$ export JVM_ARGS='-Xms=128M -Xmx=128M'
$ scripts/mount-iot-fuse ...
This SDK is distributed under the Apache License, Version 2.0. For more information, see LICENSE.txt and NOTICE.txt.
If you have technical questions about the AWS IoT Device SDK, use the AWS IoT Forum. For any other questions about AWS IoT, contact AWS Support.