Prerequisites for running the AWS IoT Greengrass qualification suite
This section describes the prerequisites for using AWS IoT Device Tester (IDT) for AWS IoT Greengrass.
Download the latest version of AWS IoT Device Tester for AWS IoT Greengrass
Download the latest version of IDT and extract
the software into a location (<device-tester-extract-location>
) on your file system where you have read/write
permissions.
Note
IDT does not support being run by multiple users from a shared location, such as an NFS directory or a Windows network shared folder. We recommend that you extract the IDT package to a local drive and run the IDT binary on your local workstation.
Windows has a path length limitation of 260 characters. If you are using Windows,
extract IDT to a root directory like C:\
or D:\
to keep your paths under the 260 character limit.
Download the AWS IoT Greengrass software
IDT for AWS IoT Greengrass V2 tests your device for compatibility with a specific version of AWS IoT Greengrass. Run the
following command to download the AWS IoT Greengrass Core software to a file named
aws.greengrass.nucleus.zip
. Replace
version
with a supported
nucleus component version for your IDT version.
Place the downloaded aws.greengrass.nucleus.zip
file in the
folder.<device-tester-extract-location>
/products/
Note
Do not place multiple files in this directory for the same operating system and architecture.
Create and configure an AWS account
Before you can use AWS IoT Device Tester for AWS IoT Greengrass V2, you must perform the following steps:
-
Set up an AWS account. If you already have an AWS account, skip to step 2.
These account permissions allow IDT to access AWS services and create AWS resources, such as AWS IoT things and AWS IoT Greengrass components, on your behalf.
To create these resources, IDT for AWS IoT Greengrass V2 uses the AWS credentials
configured in the config.json
file to make API calls on your behalf.
These resources are provisioned at various times during a test.
Note
Although most tests qualify for AWS Free
Tier
Step 1: Set up an AWS account
In this step, create and configure an AWS account. If you already have an AWS account, skip to Step 2: Configure permissions for IDT.
If you do not have an AWS account, complete the following steps to create one.
To sign up for an AWS account
Open https://portal.aws.amazon.com/billing/signup
. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.
To create an administrator user, choose one of the following options.
Choose one way to manage your administrator | To | By | You can also |
---|---|---|---|
In IAM Identity Center (Recommended) |
Use short-term credentials to access AWS. This aligns with the security best practices. For information about best practices, see Security best practices in IAM in the IAM User Guide. |
Following the instructions in Getting started in the AWS IAM Identity Center User Guide. | Configure programmatic access by Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide. |
In IAM (Not recommended) |
Use long-term credentials to access AWS. | Following the instructions in Create an IAM user for emergency access in the IAM User Guide. | Configure programmatic access by Manage access keys for IAM users in the IAM User Guide. |
Step 2: Configure permissions for IDT
In this step, configure the permissions that IDT for AWS IoT Greengrass V2 uses to run tests and collect IDT usage data. You can use the AWS Management Console or AWS Command Line Interface (AWS CLI) to create an IAM policy and a test user for IDT, and then attach policies to the user. If you already created a test user for IDT, skip to Configure your device to run IDT tests.
-
Sign in to the IAM console
. -
Create a customer managed policy that grants permissions to create roles with specific permissions.
-
In the navigation pane, choose Policies, and then choose Create policy.
-
If you are not using PreInstalled, on the JSON tab, replace the placeholder content with the following policy. If you are using PreInstalled, proceed to the following step.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/idt-*", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/idt-*", "arn:aws:iot:*:*:thinggroup/idt-*", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/idt-*", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }
-
If you are using PreInstalled, on the JSON tab, replace the placeholder content with the following policy. Make sure you:
-
Replace
thingName
andthingGroup
in theiotResources
statement with the thing name and thing group that were created during the Greengrass installation on your device under test (DUT) to add permissions. -
Replace the
passRole
androleAlias
in theroleAliasResources
statement and thepassRoleForResources
statement with the roles that were created during the Greengrass installation on your DUT.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/
passRole
", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/thingName
", "arn:aws:iot:*:*:thinggroup/thingGroup
", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/roleAlias
", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }Note
If you want to use a custom IAM role as the token exchange role for your device under test, make sure you update the
roleAliasResources
statement and thepassRoleForResources
statement in your policy to allow your custom IAM role resource. -
-
Choose Review policy.
-
For Name, enter
IDTGreengrassIAMPermissions
. Under Summary, review the permissions granted by your policy. -
Choose Create policy.
-
-
Create an IAM user and attach the permissions required by IDT for AWS IoT Greengrass.
-
Create an IAM user. Follow steps 1 through 5 in Creating IAM users (console) in the IAM User Guide.
-
Attach the permissions to your IAM user:
-
On the Set permissions page, choose Attach existing policies to user directly.
-
Search for the IDTGreengrassIAMPermissions policy that you created in the previous step. Select the check box.
-
-
Choose Next: Tags.
-
Choose Next: Review to view a summary of your choices.
-
Choose Create user.
-
To view the user's access keys (access key IDs and secret access keys), choose Show next to the password and access key. To save the access keys, choose Download.csv and save the file to a secure location. You use this information later to configure your AWS credentials file.
-
-
Next step: Configure your physical device.
-
On your computer, install and configure the AWS CLI if it's not already installed. Follow the steps in Installing the AWS CLI in the AWS Command Line Interface User Guide.
Note
The AWS CLI is an open source tool that you can use to interact with AWS services from your command-line shell.
-
Create a customer managed policy that grants permissions to manage IDT and AWS IoT Greengrass roles.
-
If you are not using PreInstalled, open a text editor and save the following policy contents in a JSON file. If you are using PreInstalled, proceed to the following step.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/idt-*", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/idt-*", "arn:aws:iot:*:*:thinggroup/idt-*", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/idt-*", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }
-
If you are using PreInstalled, open a text editor and save the following policy contents in a JSON file. Make sure you:
-
Replace
thingName
andthingGroup
in theiotResources
statement that were created during the Greengrass installation on your device under test (DUT) to add permissions. -
Replace the
passRole
androleAlias
in theroleAliasResources
statement and thepassRoleForResources
statement with the roles that were created during the Greengrass installation on your DUT.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/
passRole
", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/thingName
", "arn:aws:iot:*:*:thinggroup/thingGroup
", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/roleAlias
", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }Note
If you want to use a custom IAM role as the token exchange role for your device under test, make sure you update the
roleAliasResources
statement and thepassRoleForResources
statement in your policy to allow your custom IAM role resource. -
-
Run the following command to create a customer managed policy named
IDTGreengrassIAMPermissions
. Replace
with the full path to the JSON file that you created in the previous step.policy.json
aws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document file://
policy.json
-
-
Create an IAM user and attach the permissions required by IDT for AWS IoT Greengrass.
-
Create an IAM user. In this example setup, the user is named
IDTGreengrassUser
.aws iam create-user --user-name IDTGreengrassUser
-
Attach the
IDTGreengrassIAMPermissions
policy you created in step 2 to your IAM user. Replace<account-id>
in the command with the ID of your AWS account.aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws:iam::
<account-id>
:policy/IDTGreengrassIAMPermissions
-
-
Create a secret access key for the user.
aws iam create-access-key --user-name IDTGreengrassUser
Store the output in a secure location. You use this information later to configure your AWS credentials file.
-
Next step: Configure your physical device.
AWS IoT Device Tester permissions
The following policies describe AWS IoT Device Tester permissions.
AWS IoT Device Tester requires these permissions for version checking and auto-update features.
-
iot-device-tester:SupportedVersion
Grants AWS IoT Device Tester permission to fetch the list of supported products, test suites and IDT versions.
-
iot-device-tester:LatestIdt
Grants AWS IoT Device Tester permission to fetch the latest IDT version available for download.
-
iot-device-tester:CheckVersion
Grants AWS IoT Device Tester permission to check version compatibility for IDT, test suites and products.
-
iot-device-tester:DownloadTestSuite
Grants AWS IoT Device Tester permission to download test suites updates.
AWS IoT Device Tester also uses the following permission for optional metrics reporting:
-
iot-device-tester:SendMetrics
Grants permission to AWS to collect metrics about AWS IoT Device Tester internal usage. If this permission is omitted, these metrics will not be collected.