Enhanced Security with MQTT Client Credentials Feature on HiveMQ Cloud
Written by Shashank Sharma
Category: HiveMQ Cloud MQTT
Published: March 16, 2023
Security is often essential to the success of IoT projects. Protecting your MQTT broker from unauthorized access and potential security breaches is crucial. One way to fortify the security level of your MQTT client connections is to control access by defining permissions to your MQTT broker.
HiveMQ Cloud recently released MQTT credentials with permissions for its Free and PAYG tiers. This new feature provides an added layer of security for MQTT clients. In this blog post, we’ll discuss MQTT credentials, why you need them, and how to use them with HiveMQ Cloud.
MQTT credentials are authorization values (username and password) used to identify and authorize MQTT clients. They are sent to the MQTT broker during the connection process and are used to determine the client’s access rights.
Why Do You Need Credentials?
MQTT credentials are essential for securing MQTT client connections. Without them, anyone could connect to your MQTT broker and publish or subscribe to any topic they wanted. With credentials, you can control which clients can access your broker and what they can do once they are connected.
In the initial release for Free and PAYG version, HiveMQ Cloud created three predefined roles for MQTT credentials:
- Publish only: The client can only publish messages.
- Subscribe only: The client can only subscribe to topics.
- Publish and Subscribe: The client can publish messages and subscribe to topics.
Access these MQTT credentials in the “Access Management” tab of your HiveMQ Cloud UI.
To set up credentials for your IoT devices, simply define a username and password and assign specific permissions to those credentials. By default, all available credentials are assigned the publish and subscribe role. The assigned role is displayed in the HiveMQ Cloud portal UI next to the username/password.
If you want to change the role assigned to a credential pair, you can do so during creation. To update the role assigned to a credential, delete the existing credential pair and create a new one. To apply the new role to your clients, reconnect them after creating credentials with an updated role.
Giving your clients specific permissions gives you commandover your data flow. Let us discuss a simple use case where client permissions are helpful.
In our example, a temperature sensor collects outside temperature measurements every minute and publishes it to the broker. This sensor has publish-only permission to the cloud broker.
Another device, a workstation, aggregates this data and publishes an hourly average temperature along with the date and hour of the recorded data. This workstation has both publish and subscribe permissions.
A third device, a dedicated dashboard, subscribes only to the hourly average temperature and plots it as a graph. The dashboard has subscribe-only permission, as it needs only to read the data.
All three devices have different permissions, which helps ensure control over the flow of information. In the real world, different client permissions help prevent unwanted access to your IoT project by outside third parties.
Get Started with HiveMQ Cloud MQTT Credentials
In conclusion, MQTT Credentials are an essential feature of HiveMQ Cloud that allows you to control access to your MQTT broker, increasing security. By assigning roles to credentials, you can control what clients can and cannot do once they are connected. With HiveMQ Cloud’s easy-to-use portal UI, managing MQTT Credentials in the Free and PAYG tier has never been easier.
Now that you know about the Client Credentials, are you ready to enhance your IoT Project security?