本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 运行 AWS IoT Greengrass 资格套件的先决条件
本节介绍使用 AWS IoT Device Tester (IDT) 的先决条件。 AWS IoT Greengrass
## 下载 for 的最新版本 AWS IoT Device Tester AWS IoT Greengrass
下载[最新版本的](idt-programmatic-download.md) IDT 并将该软件解压缩到文件系统上您拥有读/写权限的位置 (**)。
**注意**
IDT 不支持由多个用户从共享位置(如 NFS 目录或 Windows 网络共享文件夹)运行。建议您将 IDT 包解压缩到本地驱动器,并在本地工作站上运行 IDT 二进制文件。
Windows 的路径长度限制为 260 个字符。如果您使用的是 Windows,请将 IDT 提取到根目录(如 `C:\ ` 或 `D:\`)以使路径长度不超过 260 个字符的限制。
## 下载该 AWS IoT Greengrass 软件
IDT fo AWS IoT Greengrass r V2 会测试您的设备是否与特定版本的兼容。 AWS IoT Greengrass运行以下命令将 AWS IoT Greengrass Core 软件下载到名为的文件中`aws.greengrass.nucleus.zip`。*version*替换为您的 IDT 版本[支持的 nucleus 组件版本](dev-test-versions.md)。
------
#### [ Linux or Unix ]
```
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-version.zip > aws.greengrass.nucleus.zip
```
------
#### [ Windows Command Prompt (CMD) ]
```
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-version.zip > aws.greengrass.nucleus.zip
```
------
#### [ PowerShell ]
```
iwr -Uri https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-version.zip -OutFile aws.greengrass.nucleus.zip
```
------
将下载的 `aws.greengrass.nucleus.zip` 文件放在 `/products/` 文件夹中。
**注意**
对于相同的操作系统和架构,请勿在此目录中放置多个文件。
## 创建和配置 AWS 账户
在 AWS IoT Greengrass V2 中使用 AWS IoT Device Tester 之前,必须执行以下步骤:
1. [设置一个 AWS 账户.](#create-aws-account-for-idt) 如果您已经有 AWS 账户,请跳至步骤 2。
1. [为 IDT 配置权限。](#configure-idt-permissions)
这些账户权限允许 IDT 代表您访问 AWS 服务和创建 AWS 资源,例如 AWS IoT 事物和 AWS IoT Greengrass 组件。
要创建这些资源,适用于 AWS IoT Greengrass V2 的 IDT 使用`config.json`文件中配置的 AWS 凭据代表您进行 API 调用。这些资源将在测试过程的不同时间进行预置。
**注意**
尽管大多数测试都符合 [AWS 免费套餐](https://aws.amazon.com/free)的要求,但您在注册 AWS 账户时必须提供信用卡。有关更多信息,请参阅[我的账户使用的是免费套餐,为什么还需要提供付款方式?](https://aws.amazon.com/premiumsupport/knowledge-center/free-tier-payment-method/)
### 第 1 步:设置 AWS 账户
在此步骤中,将创建并配置 AWS 账户。如果您已有 AWS 账户,请跳至 [步骤 2:为 IDT 配置权限](#configure-idt-permissions)。
如果您没有 AWS 账户,请完成以下步骤来创建一个。
**报名参加 AWS 账户**
1. 打开[https://portal.aws.amazon.com/billing/注册。](https://portal.aws.amazon.com/billing/signup)
1. 按照屏幕上的说明操作。
在注册时,将接到电话或收到短信,要求使用电话键盘输入一个验证码。
当您注册时 AWS 账户,就会创建*AWS 账户根用户*一个。根用户有权访问该账户中的所有 AWS 服务 和资源。作为最佳安全实践,请为用户分配管理访问权限,并且只使用根用户来执行[需要根用户访问权限的任务](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks)。
要创建管理员用户,请选择以下选项之一。
****
| 选择一种方法来管理您的管理员 | 目标 | 方式 | 您也可以 |
| --- | --- | --- | --- |
| 在 IAM Identity Center 中 (推荐) | 使用短期凭证访问 AWS。这符合安全最佳实操。有关最佳实践的信息,请参阅《IAM 用户指南》**中的 [IAM 中的安全最佳实践](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp)。 | 有关说明,请参阅《AWS IAM Identity Center 用户指南》中的[入门](https://docs.aws.amazon.com//singlesignon/latest/userguide/getting-started.html)。 | 通过在《AWS Command Line Interface 用户指南[》 AWS IAM Identity Center中配置 AWS CLI 要使用的来](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-sso.html)配置编程访问权限。 |
| 在 IAM 中 (不推荐使用) | 使用长期凭证访问 AWS。 | 按照《IAM 用户指南》中的[创建用于紧急访问的 IAM 用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started-emergency-iam-user.html)中的说明进行操作。 | 按照《IAM 用户指南》中的[管理 IAM 用户的访问密钥](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_credentials_access-keys.html),配置编程式访问。 |
### 步骤 2:为 IDT 配置权限
在此步骤中,配置 IDT for AWS IoT Greengrass V2 用于运行测试和收集 IDT 使用情况数据的权限。您可以使用 [AWS 管理控制台](#configure-idt-permissions-console) 或 [AWS Command Line Interface (AWS CLI)](#configure-idt-permissions-cli)为 IDT 创建 IAM 策略和测试用户,然后将策略附加到用户。如果您已经为 IDT 创建了测试用户,请跳转至 [配置设备以运行 IDT 测试](device-config-setup.md)。
#### 为 IDT 配置权限(控制台)
1. 登录 [IAM 控制台](https://console.aws.amazon.com/iam)。
1. 创建客户托管策略,该策略授权创建具有特定权限的角色。
1. 在导航窗格中,选择 **策略**,然后选择 **创建策略**。
1. 如果您未使用 PreInstalled,请在 **JSON** 选项卡上将占位符内容替换为以下策略。如果您正在使用 PreInstalled,请继续执行以下步骤。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"passRoleForResources",
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::*:role/idt-*",
"Condition":{
"StringEquals":{
"iam:PassedToService":[
"iot.amazonaws.com",
"lambda.amazonaws.com",
"greengrass.amazonaws.com"
]
}
}
},
{
"Sid":"lambdaResources",
"Effect":"Allow",
"Action":[
"lambda:CreateFunction",
"lambda:PublishVersion",
"lambda:DeleteFunction",
"lambda:GetFunction"
],
"Resource":[
"arn:aws:lambda:*:*:function:idt-*"
]
},
{
"Sid":"iotResources",
"Effect":"Allow",
"Action":[
"iot:CreateThing",
"iot:DeleteThing",
"iot:DescribeThing",
"iot:CreateThingGroup",
"iot:DeleteThingGroup",
"iot:DescribeThingGroup",
"iot:AddThingToThingGroup",
"iot:RemoveThingFromThingGroup",
"iot:AttachThingPrincipal",
"iot:DetachThingPrincipal",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:CreatePolicy",
"iot:AttachPolicy",
"iot:DetachPolicy",
"iot:DeletePolicy",
"iot:GetPolicy",
"iot:Publish",
"iot:TagResource",
"iot:ListThingPrincipals",
"iot:ListAttachedPolicies",
"iot:ListTargetsForPolicy",
"iot:ListThingGroupsForThing",
"iot:ListThingsInThingGroup",
"iot:CreateJob",
"iot:DescribeJob",
"iot:DescribeJobExecution",
"iot:CancelJob"
],
"Resource":[
"arn:aws:iot:*:*:thing/idt-*",
"arn:aws:iot:*:*:thinggroup/idt-*",
"arn:aws:iot:*:*:policy/idt-*",
"arn:aws:iot:*:*:cert/*",
"arn:aws:iot:*:*:topic/idt-*",
"arn:aws:iot:*:*:job/*"
]
},
{
"Sid":"s3Resources",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectTagging",
"s3:PutBucketTagging"
],
"Resource":"arn:aws:s3::*:idt-*"
},
{
"Sid":"roleAliasResources",
"Effect":"Allow",
"Action":[
"iot:CreateRoleAlias",
"iot:DescribeRoleAlias",
"iot:DeleteRoleAlias",
"iot:TagResource",
"iam:GetRole"
],
"Resource":[
"arn:aws:iot:*:*:rolealias/idt-*",
"arn:aws:iam::*:role/idt-*"
]
},
{
"Sid":"idtExecuteAndCollectMetrics",
"Effect":"Allow",
"Action":[
"iot-device-tester:SendMetrics",
"iot-device-tester:SupportedVersion",
"iot-device-tester:LatestIdt",
"iot-device-tester:CheckVersion",
"iot-device-tester:DownloadTestSuite"
],
"Resource":"*"
},
{
"Sid":"genericResources",
"Effect":"Allow",
"Action":[
"greengrass:*",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:ListThings",
"iot:DescribeEndpoint",
"iot:CreateKeysAndCertificate"
],
"Resource":"*"
},
{
"Sid":"iamResourcesUpdate",
"Effect":"Allow",
"Action":[
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:TagRole",
"iam:TagPolicy",
"iam:GetPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy"
],
"Resource":[
"arn:aws:iam::*:role/idt-*",
"arn:aws:iam::*:policy/idt-*"
]
}
]
}
```
1. 如果您使用的是 PreInstalled,请在 **JSON** 选项卡上将占位符内容替换为以下策略。请确保:
+ 将`iotResources`语句*thingGroup*中的*thingName*和替换为在被测设备 (DUT) 上安装 Greengrass 期间创建的事物名称和事物组,以添加权限。
+ 将语句*passRole*和`roleAliasResources`语句*roleAlias*中的和替换为`passRoleForResources`在 DUT 上安装 Greengrass 期间创建的角色。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"passRoleForResources",
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::*:role/passRole",
"Condition":{
"StringEquals":{
"iam:PassedToService":[
"iot.amazonaws.com",
"lambda.amazonaws.com",
"greengrass.amazonaws.com"
]
}
}
},
{
"Sid":"lambdaResources",
"Effect":"Allow",
"Action":[
"lambda:CreateFunction",
"lambda:PublishVersion",
"lambda:DeleteFunction",
"lambda:GetFunction"
],
"Resource":[
"arn:aws:lambda:*:*:function:idt-*"
]
},
{
"Sid":"iotResources",
"Effect":"Allow",
"Action":[
"iot:CreateThing",
"iot:DeleteThing",
"iot:DescribeThing",
"iot:CreateThingGroup",
"iot:DeleteThingGroup",
"iot:DescribeThingGroup",
"iot:AddThingToThingGroup",
"iot:RemoveThingFromThingGroup",
"iot:AttachThingPrincipal",
"iot:DetachThingPrincipal",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:CreatePolicy",
"iot:AttachPolicy",
"iot:DetachPolicy",
"iot:DeletePolicy",
"iot:GetPolicy",
"iot:Publish",
"iot:TagResource",
"iot:ListThingPrincipals",
"iot:ListAttachedPolicies",
"iot:ListTargetsForPolicy",
"iot:ListThingGroupsForThing",
"iot:ListThingsInThingGroup",
"iot:CreateJob",
"iot:DescribeJob",
"iot:DescribeJobExecution",
"iot:CancelJob"
],
"Resource":[
"arn:aws:iot:*:*:thing/thingName",
"arn:aws:iot:*:*:thinggroup/thingGroup",
"arn:aws:iot:*:*:policy/idt-*",
"arn:aws:iot:*:*:cert/*",
"arn:aws:iot:*:*:topic/idt-*",
"arn:aws:iot:*:*:job/*"
]
},
{
"Sid":"s3Resources",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectTagging",
"s3:PutBucketTagging"
],
"Resource":"arn:aws:s3::*:idt-*"
},
{
"Sid":"roleAliasResources",
"Effect":"Allow",
"Action":[
"iot:CreateRoleAlias",
"iot:DescribeRoleAlias",
"iot:DeleteRoleAlias",
"iot:TagResource",
"iam:GetRole"
],
"Resource":[
"arn:aws:iot:*:*:rolealias/roleAlias",
"arn:aws:iam::*:role/idt-*"
]
},
{
"Sid":"idtExecuteAndCollectMetrics",
"Effect":"Allow",
"Action":[
"iot-device-tester:SendMetrics",
"iot-device-tester:SupportedVersion",
"iot-device-tester:LatestIdt",
"iot-device-tester:CheckVersion",
"iot-device-tester:DownloadTestSuite"
],
"Resource":"*"
},
{
"Sid":"genericResources",
"Effect":"Allow",
"Action":[
"greengrass:*",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:ListThings",
"iot:DescribeEndpoint",
"iot:CreateKeysAndCertificate"
],
"Resource":"*"
},
{
"Sid":"iamResourcesUpdate",
"Effect":"Allow",
"Action":[
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:TagRole",
"iam:TagPolicy",
"iam:GetPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy"
],
"Resource":[
"arn:aws:iam::*:role/idt-*",
"arn:aws:iam::*:policy/idt-*"
]
}
]
}
```
**注意**
如果您想使用[自定义 IAM 角色作为被测设备的令牌交换角色](set-config.md#custom-token-exchange-role-idt),请务必更新策略中的 `roleAliasResources` 语句和 `passRoleForResources` 语句以允许自定义 IAM 角色资源。
1. 选择**查看策略**。
1. 对于 **Name (名称)**,请输入 **IDTGreengrassIAMPermissions**。在 **Summary (摘要)** 下,查看策略授予的权限。
1. 选择**创建策略**。
1. 创建 IAM 用户并附加 IDT for AWS IoT Greengrass所需的权限。
1. 创建 IAM 用户。按照 *IAM 用户指南*的[创建 IAM 用户(控制台)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console)中的步骤 1 到 5 操作。
1. 将权限附加到您的 IAM 用户:
1. 在 **Set permissions (设置权限)** 页面上,选择 **Attach existing policies to user directly (直接附加现有策略到用户)**。
1. 搜索您在上一步中创建的**IDTGreengrassIAMPermissions**策略。选中复选框。
1. 选择**下一步:标签**。
1. 选择 **Next: Review (下一步:审核)** 以查看您的选择摘要。
1. 选择**创建用户**。
1. 要查看用户的访问密钥(访问密钥 IDs 和私有访问密钥),请选择密码和访问密钥旁边的**显示**。要保存访问密钥,请选择**Download.csv (下载 .csv)**,然后将文件保存到安全位置。稍后您可以使用此信息配置 AWS 凭证文件。
1. 下一步:配置[物理设备](device-config-setup.md)。
#### 为 IDT 配置权限 (AWS CLI)
1. AWS CLI 如果尚未安装,请在您的计算机上进行安装和配置。按照《AWS Command Line Interface 用户指南》**中[安装 AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) 的步骤来操作。
**注意**
AWS CLI 是一个开源工具,可用于通过命令行 shell 与 AWS 服务进行交互。
1. 创建用于授予管理 IDT 和 AWS IoT Greengrass 角色的权限的客户托管策略。
1. 如果您未使用 PreInstalled,请打开文本编辑器并将以下策略内容保存到 JSON 文件中。如果您正在使用 PreInstalled,请继续执行以下步骤。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"passRoleForResources",
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::*:role/idt-*",
"Condition":{
"StringEquals":{
"iam:PassedToService":[
"iot.amazonaws.com",
"lambda.amazonaws.com",
"greengrass.amazonaws.com"
]
}
}
},
{
"Sid":"lambdaResources",
"Effect":"Allow",
"Action":[
"lambda:CreateFunction",
"lambda:PublishVersion",
"lambda:DeleteFunction",
"lambda:GetFunction"
],
"Resource":[
"arn:aws:lambda:*:*:function:idt-*"
]
},
{
"Sid":"iotResources",
"Effect":"Allow",
"Action":[
"iot:CreateThing",
"iot:DeleteThing",
"iot:DescribeThing",
"iot:CreateThingGroup",
"iot:DeleteThingGroup",
"iot:DescribeThingGroup",
"iot:AddThingToThingGroup",
"iot:RemoveThingFromThingGroup",
"iot:AttachThingPrincipal",
"iot:DetachThingPrincipal",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:CreatePolicy",
"iot:AttachPolicy",
"iot:DetachPolicy",
"iot:DeletePolicy",
"iot:GetPolicy",
"iot:Publish",
"iot:TagResource",
"iot:ListThingPrincipals",
"iot:ListAttachedPolicies",
"iot:ListTargetsForPolicy",
"iot:ListThingGroupsForThing",
"iot:ListThingsInThingGroup",
"iot:CreateJob",
"iot:DescribeJob",
"iot:DescribeJobExecution",
"iot:CancelJob"
],
"Resource":[
"arn:aws:iot:*:*:thing/idt-*",
"arn:aws:iot:*:*:thinggroup/idt-*",
"arn:aws:iot:*:*:policy/idt-*",
"arn:aws:iot:*:*:cert/*",
"arn:aws:iot:*:*:topic/idt-*",
"arn:aws:iot:*:*:job/*"
]
},
{
"Sid":"s3Resources",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectTagging",
"s3:PutBucketTagging"
],
"Resource":"arn:aws:s3::*:idt-*"
},
{
"Sid":"roleAliasResources",
"Effect":"Allow",
"Action":[
"iot:CreateRoleAlias",
"iot:DescribeRoleAlias",
"iot:DeleteRoleAlias",
"iot:TagResource",
"iam:GetRole"
],
"Resource":[
"arn:aws:iot:*:*:rolealias/idt-*",
"arn:aws:iam::*:role/idt-*"
]
},
{
"Sid":"idtExecuteAndCollectMetrics",
"Effect":"Allow",
"Action":[
"iot-device-tester:SendMetrics",
"iot-device-tester:SupportedVersion",
"iot-device-tester:LatestIdt",
"iot-device-tester:CheckVersion",
"iot-device-tester:DownloadTestSuite"
],
"Resource":"*"
},
{
"Sid":"genericResources",
"Effect":"Allow",
"Action":[
"greengrass:*",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:ListThings",
"iot:DescribeEndpoint",
"iot:CreateKeysAndCertificate"
],
"Resource":"*"
},
{
"Sid":"iamResourcesUpdate",
"Effect":"Allow",
"Action":[
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:TagRole",
"iam:TagPolicy",
"iam:GetPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy"
],
"Resource":[
"arn:aws:iam::*:role/idt-*",
"arn:aws:iam::*:policy/idt-*"
]
}
]
}
```
1. 如果您正在使用 PreInstalled,请打开文本编辑器并将以下策略内容保存到 JSON 文件中。请确保:
+ *thingGroup*在被测设备 (DUT) 上安装 Greengrass 期间创建的`iotResources`语句中替换*thingName*和以添加权限。
+ 将语句*passRole*和`roleAliasResources`语句*roleAlias*中的和替换为`passRoleForResources`在 DUT 上安装 Greengrass 期间创建的角色。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"passRoleForResources",
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::*:role/passRole",
"Condition":{
"StringEquals":{
"iam:PassedToService":[
"iot.amazonaws.com",
"lambda.amazonaws.com",
"greengrass.amazonaws.com"
]
}
}
},
{
"Sid":"lambdaResources",
"Effect":"Allow",
"Action":[
"lambda:CreateFunction",
"lambda:PublishVersion",
"lambda:DeleteFunction",
"lambda:GetFunction"
],
"Resource":[
"arn:aws:lambda:*:*:function:idt-*"
]
},
{
"Sid":"iotResources",
"Effect":"Allow",
"Action":[
"iot:CreateThing",
"iot:DeleteThing",
"iot:DescribeThing",
"iot:CreateThingGroup",
"iot:DeleteThingGroup",
"iot:DescribeThingGroup",
"iot:AddThingToThingGroup",
"iot:RemoveThingFromThingGroup",
"iot:AttachThingPrincipal",
"iot:DetachThingPrincipal",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:CreatePolicy",
"iot:AttachPolicy",
"iot:DetachPolicy",
"iot:DeletePolicy",
"iot:GetPolicy",
"iot:Publish",
"iot:TagResource",
"iot:ListThingPrincipals",
"iot:ListAttachedPolicies",
"iot:ListTargetsForPolicy",
"iot:ListThingGroupsForThing",
"iot:ListThingsInThingGroup",
"iot:CreateJob",
"iot:DescribeJob",
"iot:DescribeJobExecution",
"iot:CancelJob"
],
"Resource":[
"arn:aws:iot:*:*:thing/thingName",
"arn:aws:iot:*:*:thinggroup/thingGroup",
"arn:aws:iot:*:*:policy/idt-*",
"arn:aws:iot:*:*:cert/*",
"arn:aws:iot:*:*:topic/idt-*",
"arn:aws:iot:*:*:job/*"
]
},
{
"Sid":"s3Resources",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectTagging",
"s3:PutBucketTagging"
],
"Resource":"arn:aws:s3::*:idt-*"
},
{
"Sid":"roleAliasResources",
"Effect":"Allow",
"Action":[
"iot:CreateRoleAlias",
"iot:DescribeRoleAlias",
"iot:DeleteRoleAlias",
"iot:TagResource",
"iam:GetRole"
],
"Resource":[
"arn:aws:iot:*:*:rolealias/roleAlias",
"arn:aws:iam::*:role/idt-*"
]
},
{
"Sid":"idtExecuteAndCollectMetrics",
"Effect":"Allow",
"Action":[
"iot-device-tester:SendMetrics",
"iot-device-tester:SupportedVersion",
"iot-device-tester:LatestIdt",
"iot-device-tester:CheckVersion",
"iot-device-tester:DownloadTestSuite"
],
"Resource":"*"
},
{
"Sid":"genericResources",
"Effect":"Allow",
"Action":[
"greengrass:*",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:ListThings",
"iot:DescribeEndpoint",
"iot:CreateKeysAndCertificate"
],
"Resource":"*"
},
{
"Sid":"iamResourcesUpdate",
"Effect":"Allow",
"Action":[
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:TagRole",
"iam:TagPolicy",
"iam:GetPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy"
],
"Resource":[
"arn:aws:iam::*:role/idt-*",
"arn:aws:iam::*:policy/idt-*"
]
}
]
}
```
**注意**
如果您想使用[自定义 IAM 角色作为被测设备的令牌交换角色](set-config.md#custom-token-exchange-role-idt),请务必更新策略中的 `roleAliasResources` 语句和 `passRoleForResources` 语句以允许自定义 IAM 角色资源。
1. 运行以下命令,创建名为 `IDTGreengrassIAMPermissions` 的客户管理型策略。将 `policy.json` 替换为您在上一步中创建的 JSON 文件的完整路径。
```
aws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document file://policy.json
```
1. 创建 IAM 用户并附加 IDT for AWS IoT Greengrass所需的权限。
1. 创建 IAM 用户。在此示例设置中,用户被命名为 `IDTGreengrassUser`。
```
aws iam create-user --user-name IDTGreengrassUser
```
1. 将您在步骤 2 中创建的 `IDTGreengrassIAMPermissions` 策略附加到您的 IAM 用户。**在命令中替换为您的 ID AWS 账户。
```
aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws:iam:::policy/IDTGreengrassIAMPermissions
```
1. 为用户创建私密访问密钥。
```
aws iam create-access-key --user-name IDTGreengrassUser
```
将输出存储在安全位置。稍后您将使用此信息来配置您的 AWS 凭据文件。
1. 下一步:配置[物理设备](device-config-setup.md)。
### AWS IoT Device Tester 权限
以下策略描述了 AWS IoT Device Tester 权限。
AWS IoT Device Tester 版本检查和自动更新功能需要这些权限。
+ `iot-device-tester:SupportedVersion`
授 AWS IoT Device Tester 予获取受支持产品、测试套件和 IDT 版本列表的权限。
+ `iot-device-tester:LatestIdt`
授 AWS IoT Device Tester 予获取可供下载的最新 IDT 版本的权限。
+ `iot-device-tester:CheckVersion`
授 AWS IoT Device Tester 予检查 IDT、测试套件和产品的版本兼容性的权限。
+ `iot-device-tester:DownloadTestSuite`
授 AWS IoT Device Tester 予下载测试套件更新的权限。
AWS IoT Device Tester 还使用以下权限来报告可选指标:
+ `iot-device-tester:SendMetrics`
授 AWS 予收集 AWS IoT Device Tester 内部使用情况指标的权限。如果省略此权限,则不会收集这些指标。