Step 3: Test your device and save the Amazon CA cert

Run these commands to download and install the AWS CLI.

export PATH=$PATH:~/.local/bin # configures the path to include the directory with the AWS CLI
git clone https://github.com/aws/aws-cli.git # download the AWS CLI code from GitHub
cd aws-cli && git checkout v2 # go to the directory with the repo and checkout version 2
pip3 install -r requirements.txt # install the prerequisite software

Run this command to install the AWS CLI. This command can take up to 15 minutes to complete.

pip3 install . # install the AWS CLI 

Run this command to confirm that the correct version of the AWS CLI was installed.

aws --version

The version of the AWS CLI should be 2.2 or later.

Obtain an Access Key ID and Secret Access Key from your AWS account to authenticate the AWS CLI on your device.

If you’re new to AWS IAM, https://aws.amazon.com/premiumsupport/knowledge-center/create-access-key/ describes the process to run in the AWS console to create AWS IAM credentials to use on your device.

In the terminal window on your local host computer that's connected to your Raspberry Pi. and with the Access Key ID and Secret Access Key credentials for your device:

1. Run the AWS configure app with this command:

   aws configure

2. Enter your credentials and configuration information when prompted:

   AWS Access Key ID: your Access Key ID
   AWS Secret Access Key: your Secret Access Key
   Default region name: your AWS Region code
   Default output format: json

Run this command to test your device's access to your AWS account and AWS IoT Core endpoint.

aws iot describe-endpoint --endpoint-type iot:Data-ATS

It should return your AWS account-specific AWS IoT data endpoint, such as this example:

{
    "endpointAddress": "a3EXAMPLEffp-ats.iot.us-west-2.amazonaws.com"
}

Run this command to create a directory for the certificate.

mkdir ~/certs

Run this command to download the Amazon Root CA certificate.

curl -o ~/certs/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem

Run these commands to set the access to the certificate directory and its file.

chmod 745 ~
chmod 700 ~/certs
chmod 644 ~/certs/AmazonRootCA1.pem

Run this command to see the CA certificate file in the new directory.

ls -l ~/certs

You should see an entry like this. The date and time will be different; however, the file size and all other info should be the same as shown here.

-rw-r--r-- 1 pi pi 1188 Oct 28 13:02 AmazonRootCA1.pem

If the file size is not 1188, check the curl command parameters. You might have downloaded an incorrect file.

In the terminal window on your local host computer, clear your AWS credentials.

1. Run the AWS configure app with this command:

   aws configure

2. Replace your credentials when prompted. You can leave Default region name and Default output format as they are by pressing Enter.

   AWS Access Key ID [****************YT2H]: XYXYXYXYX
   AWS Secret Access Key [****************9plH]: XYXYXYXYX
   Default region name [us-west-2]: 
   Default output format [json]:

Enter this command to shut down the Raspberry Pi.

sudo shutdown -h 0

After the Raspberry Pi shuts down completely, remove its power connector.

Remove the microSD card from your device.

On your local host computer:

1. Insert the microSD card.

2. Using your SD card imaging tool, save the microSD card’s image to a file.

3. After the microSD card’s image has been saved, eject the card from the local host computer.

With the power disconnected from the Raspberry Pi, insert the microSD card into the Raspberry Pi.

Apply power to the device.

After about a minute, on the local host computer, restart the terminal window session and log in to the device.

Don't reenter your AWS account credentials yet.