IDT usage metrics - AWS IoT Greengrass
Configure your AWS credentialsProvide AWS credentials to IDT

AWS IoT Greengrass Version 1 entered the extended life phase on June 30, 2023. For more information, see the AWS IoT Greengrass V1 maintenance policy. After this date, AWS IoT Greengrass V1 won't release updates that provide features, enhancements, bug fixes, or security patches. Devices that run on AWS IoT Greengrass V1 won't be disrupted and will continue to operate and to connect to the cloud. We strongly recommend that you migrate to AWS IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

IDT usage metrics

If you provide AWS credentials with required permissions, AWS IoT Device Tester collects and submits usage metrics to AWS. This is an opt-in feature and is used to improve IDT functionality. IDT collects information such as the following:

  • The AWS account ID used to run IDT

  • The IDT CLI commands used to run tests

  • The test suite that are run

  • The test suites in the <device-tester-extract-location> folder

  • The number of devices configured in the device pool

  • Test case names and run times

  • Test result information, such as whether tests passed, failed, encountered errors, or were skipped

  • Product features tested

  • IDT exit behavior, such as unexpected or early exits

All of the information that IDT sends is also logged to a metrics.log file in the <device-tester-extract-location>/results/<execution-id>/ folder. You can view the log file to see the information that was collected during a test run. This file is generated only if you choose to collect usage metrics.

To disable metrics collection, you do not need to take additional action. Simply do not store your AWS credentials, and if you do have stored AWS credentials, do not configure the config.json file to access them.

Configure your AWS credentials

If you do not already have an AWS account, you must create one. If you already have an AWS account, you simply need to configure the required permissions for your account that allow IDT to send usage metrics to AWS on your behalf.

Step 1: Create an AWS account

In this step, create and configure an AWS account. If you already have an AWS account, skip to Step 2: Configure permissions for IDT.

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create a user with administrative access

  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to a user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the user with administrative access

  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Assign access to additional users

  1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

    For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

  2. Assign users to a group, and then assign single sign-on access to the group.

    For instructions, see Add groups in the AWS IAM Identity Center User Guide.

Step 2: Configure permissions for IDT

In this step, configure the permissions that IDT uses to run tests and collect IDT usage data. You can use the AWS Management Console or AWS Command Line Interface (AWS CLI) to create an IAM policy and a user for IDT, and then attach policies to the user.

To configure permissions for IDT (console)

Follow these steps to use the console to configure permissions for IDT for AWS IoT Greengrass.

  1. Sign in to the IAM console.

  2. Create a customer managed policy that grants permissions to create roles with specific permissions.

    1. In the navigation pane, choose Policies, and then choose Create policy.

    2. On the JSON tab, replace the placeholder content with the following policy.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot-device-tester:SendMetrics"
            ],
            "Resource": "*"
        }
    ]
}

    3. Choose Next: Tags.

    4. Choose Next: Review.

    5. For Name, enter IDTUsageMetricsIAMPermissions. Under Summary, review the permissions granted by your policy.

    6. Choose Create policy.

  3. Create an IAM user and attach permissions to the user.

    1. Create an IAM user. Follow steps 1 through 5 in Creating IAM users (console) in the IAM User Guide. If you already created an IAM user, skip to the next step.

    2. Attach the permissions to your IAM user:

      1. On the Set permissions page, choose Attach existing policies directly.

      2. Search for the IDTUsageMetricsIAMPermissions policy that you created in the previous step. Select the check box.

    3. Choose Next: Tags.

    4. Choose Next: Review to view a summary of your choices.

    5. Choose Create user.

    6. To view the user's access keys (access key IDs and secret access keys), choose Show next to the password and access key. To save the access keys, choose Download.csv and save the file to a secure location. You use this information later to configure your AWS credentials file.

 

To configure permissions for IDT (AWS CLI)

Follow these steps to use the AWS CLI to configure permissions for IDT for AWS IoT Greengrass. If you already configured permissions in the console, skip to Configure your device to run IDT tests or Optional: Configuring your Docker container for IDT for AWS IoT Greengrass.

  1. On your computer, install and configure the AWS CLI if it's not already installed. Follow the steps in Installing the AWS CLI in the AWS Command Line Interface User Guide.

    Note

    The AWS CLI is an open source tool that you can use to interact with AWS services from your command-line shell.

  2. Create the following customer managed policy that grants permissions to manage IDT and AWS IoT Greengrass roles.

    Linux, macOS, or Unix
    aws iam create-policy --policy-name IDTUsageMetricsIAMPermissions --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot-device-tester:SendMetrics"
            ],
            "Resource": "*"
        }
    ]
}'
    Windows command prompt
    aws iam create-policy --policy-name IDTUsageMetricsIAMPermissions --policy-document
                                        '{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"iot-device-tester:SendMetrics\"], \"Resource": \"*\"}]}'
    Note

    This step includes a Windows command prompt example because it uses a different JSON syntax than Linux, macOS, or Unix terminal commands.

  3. Create an IAM user and attach the permissions required by IDT for AWS IoT Greengrass.

    1. Create an IAM user. 

      aws iam create-user --user-name user-name

    2. Attach the IDTUsageMetricsIAMPermissions policy you created to your IAM user. Replace user-name with your IAM user name and <account-id> in the command with the ID of your AWS account.

      aws iam attach-user-policy --user-name user-name --policy-arn arn:aws:iam::<account-id>:policy/IDTGreengrassIAMPermissions

  4. Create a secret access key for the user.

    aws iam create-access-key --user-name user-name

    Store the output in a secure location. You use this information later to configure your AWS credentials file.

Provide AWS credentials to IDT

To allow IDT to access your AWS credentials and submit metrics to AWS, do the following:

  1. Store the AWS credentials for your IAM user as environment variables or in a credentials file:

    1. To use environment variables, run the following command:

      AWS_ACCESS_KEY_ID=access-key
AWS_SECRET_ACCESS_KEY=secret-access-key

    2. To use the credentials file, add the following information to the .aws/credentials file:

      [profile-name]
aws_access_key_id=access-key
aws_secret_access_key=secret-access-key

  2. Configure the auth section of the config.json file. For more information, see (Optional) Configure config.json.