End of support notice: On October 7th, 2026, Amazon will discontinue support for Amazon IoT Greengrass Version 1. After October 7th, 2026, you will no longer be able to access the Amazon IoT Greengrass V1 resources. For more information, please visit [Migrate from Amazon IoT Greengrass Version 1](https://docs.amazonaws.cn/greengrass/v2/developerguide/migrate-from-v1.html).
# Prerequisites for running the Amazon IoT Greengrass qualification suite
This section describes the prerequisites for using Amazon IoT Device Tester (IDT) for Amazon IoT Greengrass to run the Amazon IoT Greengrass qualification suite.
## Download the latest version of Amazon IoT Device Tester for Amazon IoT Greengrass
Download the [latest version](dev-test-versions.md) of IDT and extract the software into a location on your file system where you have read and write permissions.
**Note**
IDT does not support being run by multiple users from a shared location, such as an NFS directory or a Windows network shared folder. We recommend that you extract the IDT package to a local drive and run the IDT binary on your local workstation.
Windows has a path length limitation of 260 characters. If you are using Windows, extract IDT to a root directory like `C:\ ` or `D:\` to keep your paths under the 260 character limit.
## Create and configure an Amazon Web Services account
Before you can use IDT for Amazon IoT Greengrass, you must perform the following steps:
1. [Create an Amazon Web Services account.]() If you already have an Amazon Web Services account, skip to step 2.
1. [Configure permissions for IDT.]()
These account permissions allow IDT to access Amazon services and create Amazon resources, such as Amazon IoT things, Greengrass groups, and Lambda functions, on your behalf.
To create these resources, IDT for Amazon IoT Greengrass uses the Amazon credentials configured in the `config.json` file to make API calls on your behalf. These resources are provisioned at various times during a test.
**Note**
Although most tests qualify for [Amazon Web Services Free Tier](https://www.amazonaws.cn/free), you must provide a credit card when you sign up for an Amazon Web Services account. For more information, see [ Why do I need a payment method if my account is covered by the Free Tier?](https://www.amazonaws.cn/premiumsupport/knowledge-center/free-tier-payment-method/).
### Step 1: Create an Amazon Web Services account
In this step, create and configure an Amazon Web Services account. If you already have an Amazon Web Services account, skip to [Step 2: Configure permissions for IDT](#configure-idt-permissions).
#### Sign up for an Amazon Web Services account
If you do not have an Amazon Web Services account, use the following procedure to create one.
**To sign up for Amazon Web Services**
1. Open [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choose **Sign Up**.
1. Follow the on-screen instructions.
Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choosing **My Account**.
#### Secure IAM users
After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see [Enable a virtual MFA device for an IAM user (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user) in the *IAM User Guide*.
To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.
For more information about creating and securing IAM users, see the following topics in the *IAM User Guide*:
+ [Creating an IAM user in your Amazon Web Services account](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_create.html)
+ [Access management for Amazon resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html)
+ [Example IAM identity-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_examples.html)
### Step 2: Configure permissions for IDT
In this step, configure the permissions that IDT for Amazon IoT Greengrass uses to run tests and collect IDT usage data. You can use the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) to create an IAM policy and a test user for IDT, and then attach policies to the user. If you already created a test user for IDT, skip to [Configure your device to run IDT tests](device-config-setup.md) or [Optional: Configuring your Docker container for IDT for Amazon IoT Greengrass](docker-config-setup.md).
+ [To Configure Permissions for IDT (Console)](#configure-idt-permissions-console)
+ [To Configure Permissions for IDT (Amazon CLI)](#configure-idt-permissions-cli)
**To configure permissions for IDT (console)**
Follow these steps to use the console to configure permissions for IDT for Amazon IoT Greengrass.
1. Sign in to the [IAM console](https://console.amazonaws.cn/iam).
1. Create a customer managed policy that grants permissions to create roles with specific permissions.
1. In the navigation pane, choose **Policies**, and then choose **Create policy**.
1. On the **JSON** tab, replace the placeholder content with the following policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ManageRolePoliciesForIDTGreengrass",
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws-cn:iam::*:role/idt-*",
"arn:aws-cn:iam::*:role/GreengrassServiceRole"
],
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws-cn:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy",
"arn:aws-cn:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
}
},
{
"Sid": "ManageRolesForIDTGreengrass",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:PassRole",
"iam:GetRole"
],
"Resource": [
"arn:aws-cn:iam::123456789012:role/idt-*",
"arn:aws-cn:iam::123456789012:role/GreengrassServiceRole"
]
}
]
}
```
------
**Important**
The following policy grants permission to create and manage roles required by IDT for Amazon IoT Greengrass. This includes permissions to attach the following Amazon managed policies:
[AWSGreengrassResourceAccessRolePolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy)
[GreengrassOTAUpdateArtifactAccess](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess)
[AWSLambdaBasicExecutionRole](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole)
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. For **Name**, enter **IDTGreengrassIAMPermissions**. Under **Summary**, review the permissions granted by your policy.
1. Choose **Create policy**.
1. Create an IAM user and attach the permissions required by IDT for Amazon IoT Greengrass.
1. Create an IAM user. Follow steps 1 through 5 in [Creating IAM users (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) in the *IAM User Guide*.
1. Attach the permissions to your IAM user:
1. On the **Set permissions ** page, choose **Attach existing policies directly**.
1. Search for the **IDTGreengrassIAMPermissions** policy that you created in the previous step. Select the check box.
1. Search for the **AWSIoTDeviceTesterForGreengrassFullAccess** policy. Select the check box.
**Note**
The [AWSIoTDeviceTesterForGreengrassFullAccess](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTDeviceTesterForGreengrassFullAccess) is an Amazon managed policy that defines the permissions IDT requires to create and access Amazon resources used for testing. For more information, see [Amazon managed policy for Amazon IoT Device Tester](#idt-managed-policy).
1. Choose **Next: Tags**.
1. Choose **Next: Review** to view a summary of your choices.
1. Choose **Create user**.
1. To view the user's access keys (access key IDs and secret access keys), choose **Show** next to the password and access key. To save the access keys, choose **Download.csv** and save the file to a secure location. You use this information later to configure your Amazon credentials file.
1. Next step: Configure your [physical device](device-config-setup.md).
**To configure permissions for IDT (Amazon CLI)**
Follow these steps to use the Amazon CLI to configure permissions for IDT for Amazon IoT Greengrass. If you already configured permissions in the console, skip to [Configure your device to run IDT tests](device-config-setup.md) or [Optional: Configuring your Docker container for IDT for Amazon IoT Greengrass](docker-config-setup.md).
1. On your computer, install and configure the Amazon CLI if it's not already installed. Follow the steps in [ Installing the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-install.html) in the *Amazon Command Line Interface User Guide*.
**Note**
The Amazon CLI is an open source tool that you can use to interact with Amazon services from your command-line shell.
1. Create a customer managed policy that grants permissions to manage IDT and Amazon IoT Greengrass roles.
------
#### [ Linux, macOS, or Unix ]
```
aws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document '{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ManageRolePoliciesForIDTGreengrass",
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws-cn:iam::*:role/idt-*",
"arn:aws-cn:iam::*:role/GreengrassServiceRole"
],
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws-cn:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy",
"arn:aws-cn:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
}
},
{
"Sid": "ManageRolesForIDTGreengrass",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:PassRole",
"iam:GetRole"
],
"Resource": [
"arn:aws-cn:iam::123456789012:role/idt-*",
"arn:aws-cn:iam::123456789012:role/GreengrassServiceRole"
]
}
]
}'
```
------
#### [ Windows command prompt ]
```
aws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document '{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"ManageRolePoliciesForIDTGreengrass\",\"Effect\": \"Allow\",\"Action\": [\"iam:DetachRolePolicy\", \"iam:AttachRolePolicy\"], \"Resource\": [\"arn:aws-cn:iam::*:role/idt-*\",\"arn:aws-cn:iam::*:role/GreengrassServiceRole\"],\"Condition\": {\"ArnEquals\": {\"iam:PolicyARN\": [\"arn:aws-cn:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy\",\"arn:aws-cn:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess\",\"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\"]}}},{\"Sid\": \"ManageRolesForIDTGreengrass\",\"Effect\": \"Allow\",\"Action\": [\"iam:CreateRole\",\"iam:DeleteRole\", \"iam:PassRole\", \"iam:GetRole\"],\"Resource\": [\"arn:aws-cn:iam::*:role/idt-*\",\"arn:aws-cn:iam::*:role/GreengrassServiceRole\"]}]}'
```
**Note**
This step includes a Windows command prompt example because it uses a different JSON syntax than Linux, macOS, or Unix terminal commands.
------
1. Create an IAM user and attach the permissions required by IDT for Amazon IoT Greengrass.
1. Create an IAM user. In this example setup, the user is named `IDTGreengrassUser`.
```
aws iam create-user --user-name IDTGreengrassUser
```
1. Attach the `IDTGreengrassIAMPermissions` policy you created in step 2 to your IAM user. Replace ** in the command with the ID of your Amazon Web Services account.
```
aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws-cn:iam:::policy/IDTGreengrassIAMPermissions
```
1. Attach the `AWSIoTDeviceTesterForGreengrassFullAccess` policy to your IAM user.
```
aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws-cn:iam::aws:policy/AWSIoTDeviceTesterForGreengrassFullAccess
```
**Note**
The [AWSIoTDeviceTesterForGreengrassFullAccess](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTDeviceTesterForGreengrassFullAccess) is an Amazon managed policy that defines the permissions IDT requires to create and access Amazon resources used for testing. For more information, see [Amazon managed policy for Amazon IoT Device Tester](#idt-managed-policy).
1. Create a secret access key for the user.
```
aws iam create-access-key --user-name IDTGreengrassUser
```
Store the output in a secure location. You use this information later to configure your Amazon credentials file.
1. Next step: Configure your [physical device](device-config-setup.md).
## Amazon managed policy for Amazon IoT Device Tester
The [AWSIoTDeviceTesterForGreengrassFullAccess](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTDeviceTesterForGreengrassFullAccess) managed policy allows IDT to run operations and collect usage metrics. This policy grants the following IDT permissions:
+ `iot-device-tester:CheckVersion`. Check whether a set of Amazon IoT Greengrass, test suite, and IDT versions are compatible.
+ `iot-device-tester:DownloadTestSuite`. Download test suites.
+ `iot-device-tester:LatestIdt`. Get information about the latest IDT version that is available for download.
+ `iot-device-tester:SendMetrics`. Publish usage data that IDT collects about your tests.
+ `iot-device-tester:SupportedVersion`. Get the list of Amazon IoT Greengrass and test suite versions that are supported by IDT. This information is displayed in the command-line window.