End of support notice: On October 7th, 2026, AWS will discontinue support for AWS IoT Greengrass Version 1. After October 7th, 2026, you will no longer be able to access the AWS IoT Greengrass V1 resources. For more information, please visit [Migrate from AWS IoT Greengrass Version 1](https://docs.aws.amazon.com/greengrass/v2/developerguide/migrate-from-v1.html).

# Module 6: Accessing other AWS services
<a name="module6"></a>

This advanced module shows you how AWS IoT Greengrass cores can interact with other AWS services in the cloud. It builds on the traffic light example from [Module 5](module5.md) and adds a Lambda function that processes shadow states and uploads a summary to an Amazon DynamoDB table.

![\[AWS IoT connected to an AWS IoT Greengrass core, which is connected to a light switch device and a traffic light device shadow. The traffic light device shadow is connected to a Lambda function, which is connected to a DynamoDB table.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/gg-get-started-089.5.png)


Before you begin, run the [Greengrass device setup](quick-start.md) script, or make sure that you have completed [Module 1](module1.md) and [Module 2](module2.md). You should also complete [Module 5](module5.md). You do not need other components or devices.

This module should take about 30 minutes to complete.

**Note**  
This module creates and updates a table in DynamoDB. Although most of the operations are small and fall within the Amazon Web Services Free Tier, performing some of the steps in this module might result in charges to your account. For information about pricing, see [DynamoDB pricing documentation](https://aws.amazon.com/dynamodb/pricing/).

**Topics**
+ [Configure the group role](config-iam-roles.md)
+ [Create and configure the Lambda function](create-config-lambda.md)
+ [Configure subscriptions](config_subs.md)
+ [Test communications](comms-test.md)

# Configure the group role
<a name="config-iam-roles"></a>

The group role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that you create and attach to your Greengrass group. This role contains the permissions that deployed Lambda functions (and other AWS IoT Greengrass features) use to access AWS services. For more information, see [Greengrass group role](group-role.md).

You use the following high-level steps to create a group role in the IAM console.

1. Create a policy that allows or denies actions on one or more resources.

1. Create a role that uses the Greengrass service as a trusted entity.

1. Attach your policy to the role.

Then, in the AWS IoT console, you add the role to the Greengrass group.

**Note**  
A Greengrass group has one group role. If you want to add permissions, you can edit attached policies or attach more policies.

 

For this tutorial, you create a permissions policy that allows describe, create, and update actions on an Amazon DynamoDB table. Then, you attach the policy to a new role and associate the role with your Greengrass group.

First, create a customer-managed policy that grants permissions required by the Lambda function in this module.

1. In the IAM console, in the navigation pane, choose **Policies**, and then choose **Create policy**.

1. On the **JSON** tab, replace the placeholder content with the following policy. The Lambda function in this module uses these permissions to create and update a DynamoDB table named `CarStats`.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "PermissionsForModule6",
               "Effect": "Allow",
               "Action": [
                   "dynamodb:DescribeTable",
                   "dynamodb:CreateTable",
                   "dynamodb:PutItem"
               ],
               "Resource": "arn:aws:dynamodb:*:*:table/CarStats"
           }
       ]
   }
   ```

------

1. Choose **Next: Tags**, and then choose **Next: Review**. Tags aren't used in this tutorial.

1. For **Name**, enter **greengrass\$1CarStats\$1Table**, and then choose **Create policy**.

    

   Next, create a role that uses the new policy.

1. In the navigation pane, choose **Roles**, and then choose **Create role**.

1. Under **Trusted entity type**, choose **AWS service**.

1. Under **Use case**, **Use cases for other AWS services** choose **Greengrass**, select **Greengrass**, and then choose **Next**.

1. Under **Permissions policies**, select the new **greengrass\$1CarStats\$1Table** policy, and then choose **Next**.

1. For **Role name**, enter **Greengrass\$1Group\$1Role**.

1. For **Description**, enter **Greengrass group role for connectors and user-defined Lambda functions**.

1. Choose **Create role**.

   Now, add the role to your Greengrass group.

1. <a name="console-gg-groups"></a>In the AWS IoT console navigation pane, under **Manage**, expand **Greengrass devices**, and then choose **Groups (V1)**.

1. Under **Greengrass groups**, choose your group.

1. Choose **Settings**, and then choose **Associate role**.

1. Choose **Greengrass\$1Group\$1Role** from your list of roles, and then choose **Associate role**.

# Create and configure the Lambda function
<a name="create-config-lambda"></a>

In this step, you create a Lambda function that tracks the number of cars that pass the traffic light. Every time that the `GG_TrafficLight` shadow state changes to `G`, the Lambda function simulates the passing of a random number of cars (from 1 to 20). On every third `G` light change, the Lambda function sends basic statistics, such as min and max, to a DynamoDB table.

1. On your computer, create a folder named `car_aggregator`.

1. From the [TrafficLight ](https://github.com/aws/aws-greengrass-core-sdk-python/tree/master/examples/TrafficLight) examples folder on GitHub, download the `carAggregator.py` file to the `car_aggregator` folder. This is your Lambda function code.
**Note**  
This example Python file is stored in the AWS IoT Greengrass Core SDK repository for convenience, but it doesn't use the AWS IoT Greengrass Core SDK.

1. If you aren't working in the US East (N. Virgina) Region, open `carAggregator.py` and change `region_name` in the following line to the AWS Region that's currently selected in the AWS IoT console. For the list of supported AWS Regions, see [AWS IoT Greengrass](https://docs.aws.amazon.com/general/latest/gr/greengrass.html) in the *Amazon Web Services General Reference*.

   ```
   dynamodb = boto3.resource('dynamodb', region_name='us-east-1')
   ```

1. Run the following command in a [command-line](https://en.wikipedia.org/wiki/Command-line_interface) window to install the [AWS SDK for Python (Boto3)](https://github.com/boto/boto3/blob/develop/README.rst) package and its dependencies in the `car_aggregator` folder. Greengrass Lambda functions use the AWS SDK to access other AWS services. (For Windows, use an [elevated command prompt](https://technet.microsoft.com/en-us/library/cc947813(v=ws.10).aspx).)

   ```
   pip install boto3 -t path-to-car_aggregator-folder
   ```

   This results in a directory listing similar to the following:  
![\[Screenshot of directory listing showing carAggregator.py.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/gg-get-started-095.png)

1. Compress the contents of the `car_aggregator` folder into a `.zip` file named `car_aggregator.zip`. (Compress the folder's contents, not the folder.) This is your Lambda function deployment package.

1. In the Lambda console, create a function named **GG\$1Car\$1Aggregator**, and set the remaining fields as follows:
   + For **Runtime**, choose **Python 3.7**.
   + For **Permissions**, keep the default setting. This creates an execution role that grants basic Lambda permissions. This role isn't used by AWS IoT Greengrass.

   Choose **Create function**.  
![\[Basic information section with Function name set to GG_Car_Aggregator and Runtime set to Python 3.7.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/gg-get-started-095.5.png)

1. Upload your Lambda function deployment package:

   1. <a name="lambda-console-upload"></a>On the **Code** tab, under **Code source**, choose **Upload from**. From the dropdown, choose **.zip file**.  
![\[The Upload from dropdown with .zip file highlighted.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/lra-console/upload-deployment-package.png)

   1. Choose upload, and then choose your `car_aggregator.zip` deployment package. Then, choose **Save**.

   1. <a name="lambda-console-runtime-settings-para"></a>On the **Code** tab for the function, under **Runtime settings**, choose **Edit**, and then enter the following values.
      + For **Runtime**, choose **Python 3.7**.
      + For **Handler**, enter **carAggregator.function\$1handler**

   1. Choose **Save**.

1. Publish the Lambda function, and then create an alias named **GG\$1CarAggregator**. For step-by-step instructions, see the steps to [publish the Lambda function](create-lambda.md#publish-function-version) and [create an alias](create-lambda.md#create-version-alias) in Module 3 (Part 1).

1. In the AWS IoT console, add the Lambda function that you just created to your AWS IoT Greengrass group:

   1. On the group configuration page, choose **Lambda functions**, and then under **My Lambda functions**, choose **Add**.

   1. For **Lambda function**, choose **GG\$1Car\$1Aggregator**.

   1. For **Lambda function version**, choose the alias to the version that you published.

   1. For **Memory limit**, enter **64 MB**.

   1. For **Pinned**, choose **True**.

   1. Choose **Add Lambda function**.
**Note**  
You can remove other Lambda functions from earlier modules.

# Configure subscriptions
<a name="config_subs"></a>

In this step, you create a subscription that enables the GG\$1TrafficLight shadow to send updated state information to the GG\$1Car\$1Aggregator Lambda function. This subscription is added to the subscriptions that you created in [Module 5](module5.md), which are all required for this module.

1. On the group configuration page, choose the **Subscriptions** tab, and then choose **Add**.

1. On the **Create a subscription** page, do the following:

   1. For **Source type**, choose **Service**, and then choose **Local Shadow Service**.

   1. For **Target type**, choose **Lambda function**, and then choose **GG\$1Car\$1Aggregator**.

   1. For **Topic filter**, enter **\$1aws/things/GG\$1TrafficLight/shadow/update/documents**

   1. Choose **Create subscription**.

   This module requires the new subscription and the [subscriptions](config-dev-subs.md#module5-subscriptions) that you created in Module 5.

1. Make sure that the Greengrass daemon is running, as described in [Deploy cloud configurations to a core device](configs-core.md).

1. <a name="console-actions-deploy"></a>On the group configuration page, choose **Deploy**.

# Test communications
<a name="comms-test"></a>

1. On your computer, open two [command-line](https://en.wikipedia.org/wiki/Command-line_interface) windows. Just as in [Module 5](module5.md), one window is for the GG\$1Switch client device and the other is for the GG\$1TrafficLight client device. You use them to run the same commands that you ran in Module 5.

   Run the following commands for the GG\$1Switch client device:

   ```
   cd path-to-certs-folder
   python lightController.py --endpoint AWS_IOT_ENDPOINT --rootCA AmazonRootCA1.pem --cert switchCertId-certificate.pem.crt --key switchCertId-private.pem.key --thingName GG_TrafficLight --clientId GG_Switch
   ```

   Run the following commands for the GG\$1TrafficLight client device:

   ```
   cd path-to-certs-folder
   python trafficLight.py --endpoint AWS_IOT_ENDPOINT --rootCA AmazonRootCA1.pem --cert lightCertId-certificate.pem.crt --key lightCertId-private.pem.key --thingName GG_TrafficLight --clientId GG_TrafficLight
   ```

   Every 20 seconds, the switch updates the shadow state to G, Y, and R, and the light displays its new state.

1. The function handler of the Lambda function is triggered on every third green light (every three minutes), and a new DynamoDB record is created. After `lightController.py` and `trafficLight.py` have run for three minutes, go to the AWS Management Console, and open the DynamoDB console.

1. Choose **US East (N. Virginia)** in the AWS Region menu. This is the Region where the `GG_Car_Aggregator` function creates the table.

1. In the navigation pane, choose **Tables**, and then choose the **CarStats** table. 

1. Choose **View items** to view the entries in the table.

   You should see entries with basic statistics on cars passed (one entry for every three minutes). You might need to choose the refresh button to view updates to the table.

1. If the test is not successful, you can look for troubleshooting information in the Greengrass logs.

   1. <a name="root-access-logs"></a>Switch to the root user and navigate to the `log` directory. Access to AWS IoT Greengrass logs requires root permissions.

      ```
      sudo su
      cd /greengrass/ggc/var/log
      ```

   1. Check `runtime.log` for errors.

      ```
      cat system/runtime.log | grep 'ERROR'
      ```

   1. Check the log generated by the Lambda function.

      ```
      cat user/region/account-id/GG_Car_Aggregator.log
      ```

      <a name="check-connection-info"></a> The `lightController.py` and `trafficLight.py` scripts store connection information in the `groupCA` folder, which is created in the same folder as the scripts. If you receive connection errors, make sure that the IP address in the `ggc-host` file matches the IP address endpoint for your core.

   For more information, see [Troubleshooting AWS IoT Greengrass](gg-troubleshooting.md).

This is the end of the basic tutorial. You should now understand the AWS IoT Greengrass programming model and its fundamental concepts, including AWS IoT Greengrass cores, groups, subscriptions, client devices, and the deployment process for Lambda functions running at the edge.

You can delete the DynamoDB table and the Greengrass Lambda functions and subscriptions. To stop communications between the AWS IoT Greengrass core device and the AWS IoT cloud, open a terminal on the core device and run one of the following commands:
+ To shut down the AWS IoT Greengrass core device:

  ```
  sudo halt
  ```
+ To stop the AWS IoT Greengrass daemon:

  ```
  cd /greengrass/ggc/core/
  sudo ./greengrassd stop
  ```