Prerequisites for running the Amazon IoT Greengrass qualification suite - Amazon IoT Greengrass
Download the latest version of IDT for Amazon IoT GreengrassCreate and configure an Amazon Web Services accountAmazon managed policy for IDT
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Greengrass Version 1 entered the extended life phase on June 30, 2023. For more information, see the Amazon IoT Greengrass V1 maintenance policy. After this date, Amazon IoT Greengrass V1 won't release updates that provide features, enhancements, bug fixes, or security patches. Devices that run on Amazon IoT Greengrass V1 won't be disrupted and will continue to operate and to connect to the cloud. We strongly recommend that you migrate to Amazon IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Prerequisites for running the Amazon IoT Greengrass qualification suite

This section describes the prerequisites for using Amazon IoT Device Tester (IDT) for Amazon IoT Greengrass to run the Amazon IoT Greengrass qualification suite.

Download the latest version of Amazon IoT Device Tester for Amazon IoT Greengrass

Download the latest version of IDT and extract the software into a location on your file system where you have read and write permissions.

Note

IDT does not support being run by multiple users from a shared location, such as an NFS directory or a Windows network shared folder. We recommend that you extract the IDT package to a local drive and run the IDT binary on your local workstation.

Windows has a path length limitation of 260 characters. If you are using Windows, extract IDT to a root directory like C:\ or D:\ to keep your paths under the 260 character limit.

Create and configure an Amazon Web Services account

Before you can use IDT for Amazon IoT Greengrass, you must perform the following steps:

  1. Create an Amazon Web Services account. If you already have an Amazon Web Services account, skip to step 2.

  2. Configure permissions for IDT.

These account permissions allow IDT to access Amazon services and create Amazon resources, such as Amazon IoT things, Greengrass groups, and Lambda functions, on your behalf.

To create these resources, IDT for Amazon IoT Greengrass uses the Amazon credentials configured in the config.json file to make API calls on your behalf. These resources are provisioned at various times during a test.

Note

Although most tests qualify for Amazon Web Services Free Tier, you must provide a credit card when you sign up for an Amazon Web Services account. For more information, see Why do I need a payment method if my account is covered by the Free Tier?.

Step 1: Create an Amazon Web Services account

In this step, create and configure an Amazon Web Services account. If you already have an Amazon Web Services account, skip to Step 2: Configure permissions for IDT.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Step 2: Configure permissions for IDT

In this step, configure the permissions that IDT for Amazon IoT Greengrass uses to run tests and collect IDT usage data. You can use the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) to create an IAM policy and a test user for IDT, and then attach policies to the user. If you already created a test user for IDT, skip to Configure your device to run IDT tests or Optional: Configuring your Docker container for IDT for Amazon IoT Greengrass.

To configure permissions for IDT (console)

Follow these steps to use the console to configure permissions for IDT for Amazon IoT Greengrass.

  1. Sign in to the IAM console.

  2. Create a customer managed policy that grants permissions to create roles with specific permissions.

    1. In the navigation pane, choose Policies, and then choose Create policy.

    2. On the JSON tab, replace the placeholder content with the following policy.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageRolePoliciesForIDTGreengrass",
            "Effect": "Allow",
            "Action": [
                "iam:DetachRolePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": [
                "arn:aws-cn:iam::*:role/idt-*",
                "arn:aws-cn:iam::*:role/GreengrassServiceRole"
            ],
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": [
                        "arn:aws-cn:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy",
                        "arn:aws-cn:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess",
                        "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
                    ]
                }
            }
        },
        {
            "Sid": "ManageRolesForIDTGreengrass",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PassRole",
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws-cn:iam::*:role/idt-*",
                "arn:aws-cn:iam::*:role/GreengrassServiceRole"
            ]
        }
    ]
}
      Important

      The following policy grants permission to create and manage roles required by IDT for Amazon IoT Greengrass. This includes permissions to attach the following Amazon managed policies:

    3. Choose Next: Tags.

    4. Choose Next: Review.

    5. For Name, enter IDTGreengrassIAMPermissions. Under Summary, review the permissions granted by your policy.

    6. Choose Create policy.

  3. Create an IAM user and attach the permissions required by IDT for Amazon IoT Greengrass.

    1. Create an IAM user. Follow steps 1 through 5 in Creating IAM users (console) in the IAM User Guide.

    2. Attach the permissions to your IAM user:

      1. On the Set permissions page, choose Attach existing policies directly.

      2. Search for the IDTGreengrassIAMPermissions policy that you created in the previous step. Select the check box.

      3. Search for the AWSIoTDeviceTesterForGreengrassFullAccess policy. Select the check box.

        Note

        The AWSIoTDeviceTesterForGreengrassFullAccess is an Amazon managed policy that defines the permissions IDT requires to create and access Amazon resources used for testing. For more information, see Amazon managed policy for Amazon IoT Device Tester.

    3. Choose Next: Tags.

    4. Choose Next: Review to view a summary of your choices.

    5. Choose Create user.

    6. To view the user's access keys (access key IDs and secret access keys), choose Show next to the password and access key. To save the access keys, choose Download.csv and save the file to a secure location. You use this information later to configure your Amazon credentials file.

  4. Next step: Configure your physical device.

 

To configure permissions for IDT (Amazon CLI)

Follow these steps to use the Amazon CLI to configure permissions for IDT for Amazon IoT Greengrass. If you already configured permissions in the console, skip to Configure your device to run IDT tests or Optional: Configuring your Docker container for IDT for Amazon IoT Greengrass.

  1. On your computer, install and configure the Amazon CLI if it's not already installed. Follow the steps in Installing the Amazon CLI in the Amazon Command Line Interface User Guide.

    Note

    The Amazon CLI is an open source tool that you can use to interact with Amazon services from your command-line shell.

  2. Create a customer managed policy that grants permissions to manage IDT and Amazon IoT Greengrass roles.

    Linux, macOS, or Unix
    aws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageRolePoliciesForIDTGreengrass",
            "Effect": "Allow",
            "Action": [
                "iam:DetachRolePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": [
                "arn:aws-cn:iam::*:role/idt-*",
                "arn:aws-cn:iam::*:role/GreengrassServiceRole"
            ],
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": [
                        "arn:aws-cn:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy",
                        "arn:aws-cn:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess",
                        "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
                    ]
                }
            }
        },
        {
            "Sid": "ManageRolesForIDTGreengrass",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PassRole",
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws-cn:iam::*:role/idt-*",
                "arn:aws-cn:iam::*:role/GreengrassServiceRole"
            ]
        }
    ]
}'
    Windows command prompt
    aws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document '{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"ManageRolePoliciesForIDTGreengrass\",\"Effect\": \"Allow\",\"Action\": [\"iam:DetachRolePolicy\", \"iam:AttachRolePolicy\"], \"Resource\": [\"arn:aws-cn:iam::*:role/idt-*\",\"arn:aws-cn:iam::*:role/GreengrassServiceRole\"],\"Condition\": {\"ArnEquals\": {\"iam:PolicyARN\": [\"arn:aws-cn:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy\",\"arn:aws-cn:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess\",\"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\"]}}},{\"Sid\": \"ManageRolesForIDTGreengrass\",\"Effect\": \"Allow\",\"Action\": [\"iam:CreateRole\",\"iam:DeleteRole\", \"iam:PassRole\", \"iam:GetRole\"],\"Resource\": [\"arn:aws-cn:iam::*:role/idt-*\",\"arn:aws-cn:iam::*:role/GreengrassServiceRole\"]}]}'
    Note

    This step includes a Windows command prompt example because it uses a different JSON syntax than Linux, macOS, or Unix terminal commands.

  3. Create an IAM user and attach the permissions required by IDT for Amazon IoT Greengrass.

    1. Create an IAM user. In this example setup, the user is named IDTGreengrassUser.

      aws iam create-user --user-name IDTGreengrassUser

    2. Attach the IDTGreengrassIAMPermissions policy you created in step 2 to your IAM user. Replace <account-id> in the command with the ID of your Amazon Web Services account.

      aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws-cn:iam::<account-id>:policy/IDTGreengrassIAMPermissions

    3. Attach the AWSIoTDeviceTesterForGreengrassFullAccess policy to your IAM user.

      aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws-cn:iam::aws:policy/AWSIoTDeviceTesterForGreengrassFullAccess
      Note

      The AWSIoTDeviceTesterForGreengrassFullAccess is an Amazon managed policy that defines the permissions IDT requires to create and access Amazon resources used for testing. For more information, see Amazon managed policy for Amazon IoT Device Tester.

  4. Create a secret access key for the user.

    aws iam create-access-key --user-name IDTGreengrassUser

    Store the output in a secure location. You use this information later to configure your Amazon credentials file.

  5. Next step: Configure your physical device.

Amazon managed policy for Amazon IoT Device Tester

The AWSIoTDeviceTesterForGreengrassFullAccess managed policy allows IDT to run operations and collect usage metrics. This policy grants the following IDT permissions:

  • iot-device-tester:CheckVersion. Check whether a set of Amazon IoT Greengrass, test suite, and IDT versions are compatible.

  • iot-device-tester:DownloadTestSuite. Download test suites.

  • iot-device-tester:LatestIdt. Get information about the latest IDT version that is available for download.

  • iot-device-tester:SendMetrics. Publish usage data that IDT collects about your tests.

  • iot-device-tester:SupportedVersion. Get the list of Amazon IoT Greengrass and test suite versions that are supported by IDT. This information is displayed in the command-line window.