This guide explains how to connect a RAK gateway to AWS IoT Core using Basics™ Station with LNS for secure TLS-based LoRaWAN® data communication.
Prerequisites
Before you begin, make sure you have the following:
- An active AWS IoT Core account with sufficient permissions to manage IoT Wireless resources.
- Gateway EUI:
- Printed on the gateway label (marked as GWEUI)
- Or, available under Dashboard > Overview in the gateway Web UI
- Stable Internet connection on the gateway (Ethernet, Wi-Fi, or cellular).
Set Up Roles and Policies in IAM
Before you can connect your RAK gateway to AWS IoT Core, you must first set up the required IAM roles and policies.
These roles enable AWS services to:
- Provision and manage gateway credentials through the Configuration and Update Server (CUPS)
- Forward device data to AWS IoT services via defined Destinations
The examples in this document are intended only for dev environments. All devices in your fleet must have credentials with privileges that authorize only intended actions on specific resources.
The specific permission policies can vary for your use case. Identify the permission policies that best meet your business and security requirements. For more information, refer to Example Policies and Security Best Practices.
Add an IAM Role for CUPS Server
To allow AWS IoT Core for LoRaWAN to securely manage gateway certificates, you must assign an IAM role and policy that authorizes the Configuration and Update Server (CUPS) to:
Create and register gateway certificates
Manage gateway credentials automatically
This setup is required to enable gateways to authenticate and connect successfully with AWS IoT Core for LoRaWAN.
Follow the official instructions: Add an IAM role to allow the Configuration and Update Server (CUPS) to manage gateway credentials.
In some AWS accounts or regions, the managed policy AWSIoTWirelessGatewayCertManager may not appear by default.
If not available, go to the IAM Policies page and manually create a policy with the following definition and name it exactly AWSIoTWirelessGatewayCertManager:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IoTWirelessGatewayCertManager",
"Effect": "Allow",
"Action": [
"iot:CreateKeysAndCertificate",
"iot:DescribeCertificate",
"iot:ListCertificates",
"iot:RegisterCertificate"
],
"Resource": "*"
}
]
}
Add an IAM Role for Destination to AWS IoT Core for LoRaWAN
To allow AWS IoT Core for LoRaWAN to forward device data to AWS services (via Destinations, such as IoT Rules), you must assign an IAM role and policy that authorizes the service to publish messages on your behalf.
For detailed steps on how to create this IAM role, refer to the official AWS documentation: Create a destination role for AWS IoT Core for LoRaWAN.
Register the Gateway to AWS IoT Core
To register the gateway with AWS IoT Core for LoRaWAN, execute these steps:
Log in to your AWS IoT Core Console.
Select LPWAN devices in the navigation panel on the left.
Choose Gateways, and then click Add gateway.
In the Add gateway section, fill in the Gateway's EUI and Frequency band (RF Region) fields.
Click Add gateway. If a green success message appears, the gateway has been registered successfully.
On the Configure your gateway page, find the section titled Gateway certificate.
Select Create certificate.
Once the certificate is created and associated with your gateway message is shown, select Download certificate files to download the certificate (
xxxxx.cert.pem) and private key (xxxxxx.private.key).In the section Provisioning credentials, choose Download server trust certificates to download the CUPS (cups.trust) and LNS (lns.trust) server trust certificates.
Copy the LNS endpoint and save it in a
.txtfile for use while configuring the gateway.Choose Submit to add the gateway.
Configure the Gateway
Log in to the gateway's Web UI.
Go to LoRa > Configuration, and set Work Mode to Basics station.
Click Configure Basics Station server setup to expand the relevant settings panel. Configure the following parameters:
- Click Save changes.
- Wait a few seconds and check AWS IoT Console to see if the gateway is online.
FAQs
My gateway failed to connect to AWS IoT Core. What should I check?
- Ensure the uploaded certs are correctly paired (cert.pem, private.key, trust).
- Verify that the LNS endpoint URL is correct and reachable.
- Ensure no firewall is blocking port 443 outbound.
- Wait at least 30 seconds and refresh the AWS console.
- Ensure the LoRaWAN region matches AWS.
2. When should I use the LNS server type and when should I use CUPS?
AWS IoT Core supports both LNS and CUPS, and the selection depends on your deployment and management preferences:
LNS server:The gateway connects directly to AWS’s LoRaWAN Network Server to send and receive device traffic. Suitable when the gateway is already configured and centrally managed.
CUPS server:Configuration and Update Server (CUPS) allows the gateway to receive updates for server URIs, certificates, and firmware. Use this if you want to automate deployment and credential distribution at scale.
3. Where are the logs located if I need to debug?
Go to the gateway's web UI > Diagnostics > System log.
Glossary
| Term | Description |
|---|---|
| LNS | LoRaWAN Network Server: handles join requests, MAC commands, and routing. |
| CUPS | Configuration and Update Server: manages certificates and configuration. |
| IAM | Identity and Access Management service in AWS. |
| TLS | Transport Layer Security protocol is used to secure gateway communication. |
| Destination | AWS routing resource that forwards LoRaWAN data to rules or services. |
| Basics™ Station | Semtech’s protocol for secure and efficient gateway communication. |
Changelog
-
Version 1 - How to Connect RAK Gateway to AWS IoT Core Using Basics™
Station (LNS)
- Date Published: 10/30/2025
Updated