GG DG

AWS Greengrass
Developer Guide
AWS Greengrass Developer Guide
AWS Greengrass: Developer Guide

Copyright 2017 Amazon Web Services, Inc. and/or its aliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner
that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not
owned by Amazon are the property of their respective owners, who may or may not be aliated with, connected to, or sponsored by
Amazon.
Table of Contents
What Is AWS Greengrass? .................................................................................................................... 1
Greengrass Core Software ........................................................................................................... 2
AWS Greengrass Groups .............................................................................................................. 2
Devices in AWS Greengrass ......................................................................................................... 4
SDKs ......................................................................................................................................... 5
Getting Started with AWS Greengrass ................................................................................................... 7
Requirements ............................................................................................................................ 7
Setting Up Your Hardware .......................................................................................................... 8
Preparing a Raspberry Pi for Greengrass ............................................................................... 8
Preparing an Amazon EC2 Instance for AWS Greengrass .......................................................... 9
Preparing an Annapurna aarch64 with Ubuntu 14.04 ............................................................ 10
Setting Up an AWS Greengrass Core Device ................................................................................. 12
Download the AWS Greengrass Core Software ..................................................................... 12
Create an AWS Greengrass Group ....................................................................................... 13
Create an AWS Greengrass Core Device in the Cloud ............................................................. 13
Provisioning an AWS Greengrass Core ................................................................................. 14
Get Connected to AWS ..................................................................................................... 14
Add an AWS IoT Device to Your AWS Greengrass Group ................................................................ 16
AWS Greengrass Example Scenario: Robot Arm ............................................................................ 17
Create AWS IoT Things ..................................................................................................... 17
Create an AWS Greengrass Group ....................................................................................... 17
Create a Core Denition .................................................................................................... 18
Create a Device Denition ................................................................................................. 20
Modify the Policy for GGC_Thing, Switch_Thing, and RobotArm_Thing .................................... 22
Create a Lambda Function Denition .................................................................................. 23
Create a Subscription Denition ......................................................................................... 26
Create a Logger Denition ................................................................................................. 30
Update Your Group .......................................................................................................... 32
Create a Deployment ........................................................................................................ 33
Updating the Connectivity Information Service .................................................................... 34
Device Conguration ......................................................................................................... 34
Running the Scenario ........................................................................................................ 36
Tutorial: Deploying a Simple Lambda Function to AWS Greengrass ................................................. 37
Create an AWS Account ..................................................................................................... 37
Sign in to the AWS Greengrass Console .............................................................................. 38
Create an AWS Greengrass Group and AWS Greengrass Core .................................................. 38
Congure and Start Your Greengrass Core Device ................................................................ 43
Copy and Extract the Greengrass Software Package onto Your Core Device .............................. 45
Install Certicates on Your AWS Greengrass Core Device ........................................................ 46
Congure Your Greengrass Core ......................................................................................... 46
Start Your AWS Greengrass Core to Connect It to the Cloud ................................................... 50
Create a "Hello World" Lambda Function ............................................................................. 51
Add the Lambda Function to Your Group Denition .............................................................. 54
Congure the HelloWorld Lambda Function ......................................................................... 56
Add a Subscription to Your Group Denition ........................................................................ 57
Deploy Your Group ........................................................................................................... 61
Verify the Lambda Function Is Running on Your Core Device .................................................. 63
Greengrass Discovery RESTful API ...................................................................................................... 66
Request ................................................................................................................................... 66
Response ................................................................................................................................. 67
Authorization ........................................................................................................................... 67
Example Discover Response Documents ...................................................................................... 67
AWS Greengrass Security ................................................................................................................... 69
Conguring Greengrass Security ................................................................................................. 70
iii
Device Connection Workow ..................................................................................................... 70

Greengrass Messaging Workow ................................................................................................ 71
MQTT Core Server Certicate Rotation ........................................................................................ 71
Monitoring ....................................................................................................................................... 72
Conguring Greengrass Logging ................................................................................................. 72
Required IAM Permissions ......................................................................................................... 73
Logging Output ....................................................................................................................... 74
AWS Greengrass Logging Limitations .......................................................................................... 74
Transactions per Second .................................................................................................... 74
Memory .......................................................................................................................... 74
Clock Skew ...................................................................................................................... 74
Disk Usage ...................................................................................................................... 74
Log Loss .......................................................................................................................... 75
Troubleshooting AWS Greengrass Applications ..................................................................................... 76
Troubleshooting with Logs ........................................................................................................ 77
Troubleshooting Storage Issues .................................................................................................. 77
Troubleshooting Messsages ........................................................................................................ 77
iv
What Is AWS Greengrass?

AWS Greengrass is software that extends AWS cloud capabilities to local devices, making it possible for
them to collect and analyze data closer to the source of information, while also securely communicating
with each other on local networks. More specically, developers who use AWS Greengrass can author
serverless code (AWS Lambda functions) in the cloud and conveniently deploy it to devices for local
execution of applications.
The following diagram shows the basic architecture of AWS Greengrass.
AWS Greengrass makes it possible for customers to use Lambda functions to build IoT devices and
application logic. Specically, AWS Greengrass provides cloud-based management of applications that
can be deployed for local execution. Locally deployed Lambda functions are triggered by local events,
messages from the cloud, or other sources.
In AWS Greengrass, devices securely communicate on a local network and exchange messages with
each other without having to connect to the cloud. AWS Greengrass provides a local pub/sub message
manager that can intelligently buer messages if connectivity is lost so that inbound and outbound
messages to the cloud are preserved.
AWS Greengrass protects user data:
Through the secure authentication and authorization of devices.

Through secure connectivity in the local network.
Between local devices and the cloud.
1
Greengrass Core Software
Device security credentials function within a group until they are revoked, even if connectivity to the
cloud is disrupted, so that the devices can continue to securely communicate locally.
AWS Greengrass provides secure, over-the-air software updates of Lambda functions.
AWS Greengrass consists of:
Software distributions
AWS Greengrass core software
AWS Greengrass core SDK
Cloud service
AWS Greengrass API
Features
Lambda runtime
Thing shadows implementation
Message manager
Group management
Discovery service
Greengrass Core Software

The AWS Greengrass core software provides the following functionality:
Allows deployment and execution of local applications created using Lambda functions and managed
through the deployment API.
Enables local messaging between devices over a secure network using a managed subscription scheme
through the MQTT protocol.
Ensures secure connections between devices and the cloud using device authentication and
authorization.
Provides secure, over-the-air software updates of user-dened Lambda functions.
The AWS Greengrass core software consists of:
A message manager that routes messages between devices, Lambda functions, and AWS IoT.
A Lambda runtime that runs user-dened Lambda functions.
An implementation of the Thing Shadows service that provides a local copy of thing shadows, which
represent your devices. Thing shadows can be congured to sync with the cloud.
A deployment agent that is notied of new or updated AWS Greengrass group conguration. When
new or updated conguration is detected, the deployment agent downloads the conguration data
and restarts the AWS Greengrass core.
AWS Greengrass core instances are congured through AWS Greengrass APIs that create and update
AWS Greengrass group denitions stored in the cloud.
AWS Greengrass Groups

An AWS Greengrass group denition is a collection of settings for AWS Greengrass core devices and the
devices that communicate with them. The following diagram shows the objects that make up an AWS
Greengrass group.
2
AWS Greengrass Groups
In the preceding diagram:
A: AWS Greengrass group denition
A collection of information about the AWS Greengrass group.

B: AWS Greengrass group settings
These include:
AWS Greengrass group role.
Log conguration.
Certication authority and local connection conguration.
AWS Greengrass core connectivity information.
C: AWS Greengrass core
The AWS IoT thing that represents the AWS Greengrass core.
D: Lambda function denition
A list of Lambda functions to be deployed to the AWS Greengrass core of the group.
E: Subscription denition
A collection of subscriptions to be deployed to the AWS Greengrass group that contains:

A message rule ID, a unique identier for the message routing subscription.
A message source, an ARN that identies the source of the message. Valid values are a thing ARN,
Lambda function, or "cloud".
A subject, an MQTT topic or topic lter used to lter message data.
A target, an ARN that identies the destination for messages published by the message source.
Valid values are a thing ARN, Lambda function, or "cloud".
F: Device denition
A list containing an AWS Greengrass core and AWS IoT things that are members of the AWS
Greengrass group and associated conguration data. This data species which devices are AWS
Greengrass cores and which devices should sync thing shadow data with AWS IoT.
3
Devices in AWS Greengrass
When deployed, the AWS Greengrass group denition, Lambda functions, and subscription table are
copied to an AWS Greengrass core device.
Devices in AWS Greengrass

There are two types of devices:
AWS Greengrass cores.

AWS IoT devices connected to an AWS Greengrass core.
An AWS Greengrass core is an AWS IoT device that runs specialized AWS Greengrass software that
communicates directly with the AWS IoT and AWS Greengrass cloud services. It is an AWS IoT device with
its own certicate used for authenticating with AWS IoT. It has a device shadow and exists in the AWS
IoT device registry. AWS Greengrass cores run a local Lambda runtime, a deployment agent, and an IP
address tracker that sends IP address information to the AWS Greengrass cloud service to allow AWS IoT
devices to automatically discover their group and core connection information.
Any AWS IoT device can connect to an AWS Greengrass core. An AWS Greengrass core runs software
written with the AWS IoT Device SDK.
The following table shows how these device types are related.
4
SDKs
SDKs
The following SDKs are used when working with AWS Greengrass:
AWS SDKs
Using the AWS SDKs, you can build applications that work with any AWS service, including Amazon
S3, Amazon DynamoDB, AWS IoT, AWS Greengrass, and more. In the context of AWS Greengrass, you
can use the AWS SDK inside deployed Lambda functions to make direct calls to any AWS service.
AWS IoT Device SDKs
The AWS IoT Device SDKs helps you connect your device to AWS IoT or AWS Greengrass services.
Devices must know to which AWS Greengrass group they belong and the IP address of the AWS
Greengrass core to which they should connect.
Although you can use any of the AWS IoT Device SDKs to connect to an AWS Greengrass core, only
the C++ and Python Device SDKs provide AWS Greengrass-specic functionality, such as access
to the AWS Greengrass Discovery Service and AWS Greengrass core root CA downloads. For more
information, see AWS IoT Device SDK.
AWS Greengrass Core SDK
The AWS Greengrass Core SDK enables Lambda functions to interact with the AWS Greengrass core
on which they run in order to publish messages, interact with the local Thing Shadows service, or
invoke other deployed Lambda functions. This SDK is used exclusively for writing Lambda functions
running in the Lambda runtime on an AWS Greengrass core. Lambda functions running on an
AWS Greengrass core can interact with AWS cloud services directly using the AWS SDK. The AWS
Greengrass Core SDK and the AWS SDK are contained in dierent packages, so you can use both
packages simultaneously. You can download the AWS Greengrass Core SDK from the Software
section of the AWS IoT console.
The AWS Greengrass Core SDK follows the AWS SDK programming model. It allows you to easily
port Lambda functions developed for the cloud to Lambda functions that run on an AWS Greengrass
core. For example, using the AWS SDK, the following Lambda function publishes a message to the
topic "/some/topic" in the cloud:
import boto3
client = boto3.client('iot-data')
response = client.publish(
topic = "/some/topic",
qos = 0,
payload = "Some payload".encode()
)
To port this Lambda function for execution on an AWS Greengrass core, replace the import boto3
statement with the import greengrasssdk, as shown in the following snippet:
import greengrasssdk
client = greengrasssdk.client('iot-data')
response = client.publish(
topic='/some/topic',
qos=0,
payload='some payload'.encode()
)
This allows you to test your Lambda functions in the cloud and migrate them to AWS Greengrass
with minimal eort.
5
SDKs
Note
The AWS Greengrass Core SDK only supports sending MQTT messages with QoS = 0. The
AWS SDK is natively part of the environment when executing a Lambda function in the AWS
cloud. If you want to use boto3 in a Lambda function deployed on an AWS Greengrass core,
make sure to include the AWS SDK in your package. In addition, if you choose to use both
the AWS Greengrass Core SDK and the AWS SDK simultaneously in the same package, your
Lambda functions must use the correct namespace. For more information about how to
create your deployment package, see the AWS Lambda documentation.
6
Requirements
Getting Started with AWS

Greengrass
This section describes how to install and congure AWS Greengrass. When working with AWS
Greengrass, you create an AWS Greengrass group and add a AWS Greengrass core. Setting up an AWS
Greengrass core device includes preparing the hardware, and then downloading and installing the AWS
Greengrass core software. After your AWS Greengrass core is congured, you can add AWS IoT devices
to your group. This section describes how to do each of these steps. It also provides an example scenario
that shows how all of the AWS Greengrass parts work together.
Requirements
These are the requirements for running an AWS Greengrass core:
Supported platforms:
Armv7l
Raspberry Pi 3 Model B - Raspbian Jessie 2017-03-02
X86_64
Amazon EC2 Instance - Amazon Linux - amzn-ami-hvm-2016.09.1.20170119-x86_64-ebs
AARCH64
Annapurna Alpine V2 Platform-on-Chip uATX Development Board with Ubuntu 14.04 Kernel 4.1.3
with the following enabled:
CONFIG_DEVPTS_MULTIPLE_INSTANCES
CONFIG_OF_OVERLAY
CONFIG_OVERLAY_FS
CONFIG_POSIX_MQUEUE
CONFIG_SECCOMP
CONFIG_SECCOMP_FILTER
CONFIG_HAVE_ARCH_SECCOMP_FILTER
This is a special Ubuntu 14.04 built by Annapurna.

Linux kernel version 4.4.11+ with OverlayFS and user namespace enabled
7
Setting Up Your Hardware
Glibc library version 2.14

Python version 2.7
SQLite version 3 or later
Minimum 128 MB RAM
Setting Up Your Hardware

You can run the AWS Greengrass core software on a Raspberry Pi running Raspbian Jessie, an Amazon
EC2 instance running Amazon Linux 2016.13, or Annapurna aarch64 running Ubuntu 14.04. This section
provides instructions for setting up these hardware platforms to run the AWS Greengrass core software.
Preparing a Raspberry Pi for Greengrass

Follow these steps to prepare your Raspberry Pi for running the AWS Greengrass core software and using
the AWS IoT Device SDK for C++.
To run the AWS Greengrass core software:
1. Use the following commands to add a user named ggc_user and a group named ggc_group:
sudo adduser --system ggc_user

sudo addgroup --system ggc_group
2. Use the following commands to update your Raspberry Pi kernel to 4.9:
sudo apt-get install rpi-update

sudo rpi-update
3. Use the following command to install sqlite3:
sudo apt-get install sqlite3
To use the AWS IoT Device SDK
1. Use the following command to install cmake:
sudo apt-get install cmake
2. Install OpenSSL 1.0.2 developer version.
1. Add the following text at the end of /etc/apt/sources.list.d/raspi.list:
deb http://ftp.debian.org/debian jessie-backports main
2. Run the following command to update the package list for apt-get:
sudo apt-get update
Note
If you get a NO_PUBKEY error, follow these instructions on the CCM website, and then
rerun the sudo apt-get update command.
3. Use the following command to install OpenSSL:
8
Preparing an Amazon EC2 Instance for AWS Greengrass
sudo apt-get -t jessie-backports install libssl-dev
Hardlink/Softlink Protection
The AWS Greengrass core software checks if hardlink/softlink protection is activated on the operating
system at startup. We recommend that you activate this protection to improve security on your device.
Follow these instructions.
1. Set system variables by adding the following two lines to /etc/sysctl.d/98-rpi.conf:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
If the le /etc/sysctl.d/98-rpi.conf doesn't exist, follow the instructions in /etc/sysctl.d/

README.sysctl.
2. Reboot the system:
sudo reboot
3. Validate the change by running:
sudo sysctl -a | grep fs
If the system variables were set successfully, the following text is displayed:
Preparing an Amazon EC2 Instance for AWS

Greengrass
Follow these steps to prepare your Amazon EC2 instance for running the AWS Greengrass core software
and the AWS IoT Device SDK for C++
Use the following commands to add a user named ggc_user and a group named ggc_group:
sudo useradd -r ggc_user

sudo groupadd -r ggc_group
To use the AWS IoT Device SDK for C++:
1. Use the following commands to install cmake:
sudo yum groupinstall "Development Tools"

wget https://cmake.org/files/v3.8/cmake-3.8.0.tar.gz
tar -zxf cmake-3.8.0.tar.gz
cd cmake-3.8.0
./configure
9
Preparing an Annapurna aarch64 with Ubuntu 14.04
make
sudo make install
2. Use the following commands to install OpenSSL 1.0.2:
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
tar -xvzf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=/usr/
make
sudo make install
Hardlink/Softlink Protection
Follow these instructions:
1. Set system variables by adding the following two lines to /etc/sysctl.d/00-defaults.conf:
If the le /etc/sysctl.d/00-defaults.conf doesn't exist, follow the instructions in /etc/sysctl.d/

README.sysctl.
sudo reboot

Follow these steps to prepare your Annapurna aarch64 with Ubuntu 14.04 for running the AWS
Greengrass core software.
sudo useradd ggc_user

sudo groupadd ggc_group
2. Use the following commands to install missing dependencies:
apt-get update
10
apt-get install sqlite3
3. Set up cgroups:
# used script from: https://raw.githubusercontent.com/tianon/cgroupfs-mount/master/

cgroupfs-mount
sudo bash ./script.sh
To use the AWS IoT Device SDK for C++:
1. Use the following commands to install cmake:
wget https://cmake.org/files/v3.8/cmake-3.8.0.tar.gz
tar -zxf cmake-3.8.0.tar.gz
cd cmake-3.8.0
./configure
make
sudo make install
cmake is required for using the AWS IoT C++ Device SDK.
2. Use the following command to install Git:
apt-get install git
Git is required for using the AWS IoT C++ Device SDK.
3. Use the following commands to install OpenSSL 1.0.2+:
sudo apt-get install make

wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz
tar -xzvf openssl-1.0.2g.tar.gz
cd openssl-1.0.2g
sudo ./config
sudo make install
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`
openssl version -v
The last command displays the version of OpenSSL that was installed. It should read 1.0.2.
4. Install libssl-dev.
1. Add the following back ports into /etc/apt/sources.list:
deb [arch=i386,amd64] http://archive.ubuntu.com/ubuntu xenial main restricted

universe multiverse
deb [arch=i386,amd64] http://security.ubuntu.com/ubuntu xenial-security main
restricted universe multiverse
deb [arch=i386,amd64] http://archive.ubuntu.com/ubuntu xenial-backports main
deb [arch=arm64,armhf,powerpc] http://ports.ubuntu.com/ xenial main restricted
universe multiverse
deb [arch=arm64,armhf,powerpc] http://ports.ubuntu.com/ xenial-security main
deb [arch=arm64,armhf,powerpc] http://ports.ubuntu.com/ xenial-backports main
deb-src http://archive.ubuntu.com/ubuntu xenial main restricted universe multiverse
deb-src http://security.ubuntu.com/ubuntu xenial-security main restricted universe
multiverse
11
Setting Up an AWS Greengrass Core Device
deb-src http://archive.ubuntu.com/ubuntu xenial-backports main restricted universe

multiverse
deb-src http://ports.ubuntu.com/ xenial main restricted universe multiverse
deb-src http://ports.ubuntu.com/ xenial-security main restricted universe
multiverse
deb-src http://ports.ubuntu.com/ xenial-backports main restricted universe
multiverse
2. Run the following commands:
sudo apt-get update

sudo dpkg --configure -a --force-all (to fix broken libraries)
sudo apt-get -f install (to fix broken libraries)
sudo apt-get install libssl-dev
3. Delete the text you added to /etc/apt/source.list.

4. Use the following command to update apt-get:
sudo apt-get update
Setting Up an AWS Greengrass Core Device

Download the AWS Greengrass Core Software
Download the AWS Greengrass distributable for your AWS Greengrass core hardware from AWS
Greengrass distributables. Choose Software from the navigation page.
Note
This link will take you to the AWS IoT console. This is the correct place to download the AWS
Use the following command to extract the tar le:
sudo tar -zxvf greengrass-platform-version.tar.gz -C /
Where platform is either:
linux-armv7l
linux-x86-64
linux-aarch64
The compressed tar le contains the following:
bin
A directory containing the AWS Greengrass core software binaries.

configuration
A directory containing conguration les, including certicates, cong.json, and group.json.

lambda
A directory containing Lambda function code.

license
A directory containing license les.
12
Create an AWS Greengrass Group
rootfs
A directory of the root le system for AWS Greengrass core.

runtime
A directory containing the Lambda runtime.

greengrassd
The Greengrass start script.

release_notes.html
Greengrass release notes.

version
The AWS Greengrass core software.

A Greengrass group is a resource that describes your local environment. AWS Greengrass groups contain
a AWS Greengrass core device with which all other devices in the group communicate, a list of devices
that belong to the group, a list of Lambda functions, and a subscription table that denes how messages
are passed between devices, the AWS Greengrass core, and Lambda functions.
To create a Greengrass group, open the AWS IoT console and, in the navigation pane, choose Greengrass.
On the Dene a Greengrass group tile, choose Get Started. On the Set up your Greengrass Group
page, choose Use easy creation, and then follow the instructions. This will walk you through the creation
of:
A Greengrass group.
An AWS IoT thing that represents an AWS Greengrass core in your AWS Greengrass group.
A certicate and key pair that your AWS Greengrass core will use to authenticate with AWS IoT and
AWS Greengrass.
Create an AWS Greengrass Core Device in the Cloud

Using the AWS IoT console, create an AWS IoT thing, certicate, and policy for your AWS Greengrass core
device.
1. Sign in to the AWS IoT console using your AWS credentials.

2. Create a AWS IoT thing for your AWS Greengrass core. For more information, see Create a Thing.
3. Create an AWS IoT certicate and private key for your AWS Greengrass core. For more information,
see Create a Device Certicate. The certicate and private key are used by AWS Greengrass cores to
establish a connection to cloud-based AWS IoT services. This certicate enables the AWS Greengrass
core to:
Receive and publish messages to and from the cloud.

Get information about deployments.
Download the certicate and private key and save them in a safe place. You will copy them to your
AWS Greengrass core device later.
4. Attach your device certicate to your AWS IoT thing. For more information, see Attach a Certicate
to a Thing.
5. Make sure your certicate is activated.
13
Provisioning an AWS Greengrass Core
6. Create and attach an AWS IoT policy to your device certicate. The policy determines which AWS IoT
resources your AWS Greengrass core is able to access. In the AWS IoT console, choose Security, and
then choose Policies. Choose Create to create an AWS IoT policy.
On the Create a Policy page, type a name for your policy. Under Add statements, in the Action text
box, type iot:*, greengrass:*. In the Resource ARN text box, type *. Under Eect choose Allow
and then choose Create. This will allow the identity associated with this policy to perform all AWS
IoT and AWS Greengrass operations. For more information, see Create an AWS IoT Policy.
Note
The AWS Greengrass core software establishes an MQTT connection using a random client
ID. For this reason, do not use the {iot:ClientId} policy variable in the AWS IoT policy for
your AWS Greengrass core.
Provisioning an AWS Greengrass Core

To provision an AWS Greengrass core, you must install the AWS Greengrass core software and certicates
on your AWS Greengrass core device.
Installing the AWS Greengrass Core Software

1. The AWS Greengrass core software is in the greengrass-platform-version.tar.gz le that
you downloaded from the AWS Greengrass console. Use the following command to extract
greengrass-platform-version.tar.gz:
sudo tar -zxf greengrass-platform-version.tar.gz -C /
Note
This will extract the AWS Greengrass distributable into the greengrass directory in your
root directory of your device.
2. If Linux control groups (cgroups) are not enabled on the operating system of your AWS Greengrass
core device , run this script.
Note
Linux control groups are used to limit the resources that can be accessed by Lambda
functions that run on your AWS Greengrass core device.
3. To automatically congure the Lambda cgroup, add cgroup /sys/fs/cgroup cgroup defaults 0 0
to the /etc/fstab le on your device, and then reboot your device.
The /greengrass directory is created when you extract the tar le.
Installing Certicates on your AWS Greengrass Core Device

Your AWS Greengrass core device must establish a secure connection to AWS IoT using MQTT over TLS.
To enable this, place the certicate, private key associated with your device, and the AWS IoT root CA
certicate in the /greengrass/configuration/certs directory.
Note
You can download the AWS IoT root CA certicate from Verisign.
Get Connected to AWS

The following steps show how to congure and store your AWS Greengrass settings in the cloud and
push changes to your AWS Greengrass core. This is the recommended way to work with AWS Greengrass.
14
Get Connected to AWS
Create a Greengrass Service Role

AWS Greengrass requires access to your AWS Lambda and AWS IoT data.
Use the IAM console (https://console.aws.amazon.com/iam/) to create an IAM role.
1. For Role Type, choose AWS Greengrass Role.

2. Select AWSGreengrassResourceAccessPolicy, and then choose Next Step.
3. Type a name for your role, and then choose Create Role.
After creating the role, make a note of the role ARN and use it to call the following CLI command:
aws greengrass associate-service-role-to-account --role-arn

arn:aws:iam::123451234510:role/GreengrassRole
Congure AWS Greengrass Core

Edit the conguration le or create one at /greengrass/configuration/config.json:
{
"coreThing": {
"caPath": "[ROOT_CA_PEM_HERE]",
"certPath": "[CLOUD_PEM_CRT_HERE]",
"keyPath": "[CLOUD_PEM_KEY_HERE]",
"thingArn": "[THING_ARN_HERE]",
"iotHost": "[HOST_PREFIX_HERE].iot.[AWS_REGION_HERE].amazonaws.com",
"ggHost": "greengrass.iot.[AWS_REGION_HERE].amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "[yes|no]"
}
}
}
Field Description Notes
caPath The path to the AWS IoT root Save the le under /greengrass/
CA certicate relative to / conguration/certs.
greengrass/conguration/certs
folder.
certPath The path to the AWS Greengrass Save the le under /greengrass/
core certicate relative to / conguration/certs.
folder.
keyPath The path to the AWS Greengrass Save the le under /greengrass/
core private key relative to / conguration/certs.
folder.
thingArn The ARN of the thing that

represents the AWS Greengrass
core.
15
Add an AWS IoT Device to Your AWS Greengrass Group
Field Description Notes
iotHost Your AWS IoT endpoint. Can be obtained using the aws
iot describe-endpoint CLI
command or in the Settings
section of the AWS IoT console.
ggHost The AWS Greengrass endpoint.
keepAlive The MQTT KeepAlive period, in Optional. The default value is

seconds. 600 seconds (10 minutes).
useSystemd Manage cgroup with systemd. If your system's init system

is systemd, we strongly
recommend that you use
systemd to manage cgroup.
Valid values are yes and no.
A value must be specied.
When an invalid value is

specied, an error message
will be returned: useSystemd
[invalid value] is invalid,
it should be "yes" or "no".
Run the AWS Greengrass Core Software

Run sudo ./greengrassd startfromthe /greengrassdirectory on your AWS Greengrass core device.
Make sure your AWS Greengrass core device is connected to the internet. To see if your AWS Greengrass
core device is running, check that /greengrass/crash.log is empty and /greengrass/var/log/system/
runtime.log has text like the following:
[INFO]-Deployment agent connected to cloud

[INFO]-Subscribed to topic $aws/things/GGC_Thing-gda/shadow/update/delta
[INFO]-Subscribed to topic $aws/things/GGC_Thing-gda/shadow/get/accepted
This text means that your AWS Greengrass core device is connected to AWS IoT and waiting for a
deployment to take place.
Add an AWS IoT Device to Your AWS Greengrass

Group
Now that you have created an AWS Greengrass group and an AWS Greengrass core, you can add a device
to your group. Use the AWS IoT console to create an AWS IoT thing, certicate, and policy for your
device.
1. Sign in to the AWS IoT console using your AWS credentials.

2. Create a AWS IoT thing for your device. For more information, see Create a Thing.
3. Create an AWS IoT device certicate and private key. For more information, see Create a Device
Certicate. The certicate and private key are used by AWS Greengrass cores to establish a
connection to cloud-based AWS IoT services. For example, the certicate enables the device to:
16
AWS Greengrass Example Scenario: Robot Arm
Connect to AWS IoT and receive information about AWS Greengrass groups to which the device
belongs.
Connect to an AWS Greengrass core.
Save the certicate and private key in a safe place. You will need to copy them to your AWS
Greengrass core device.
4. Attach your device certicate to your AWS IoT thing. For more information, see Attach a Certicate
to a Thing.
5. Make sure your certicate is activated.
6. Create and attach an AWS IoT policy to your device certicate. The AWS policy determines which
AWS IoT resources your AWS Greengrass core is able to access. In the AWS IoT console, choose
Security, and then choose Policies. Choose Create to create an AWS IoT policy.
On the Create a Policy page, type a name for your policy. Under Add statements, in the Action
text box, type iot:*, greengrass:*. In the Resource ARN text box, type *. This allows the identity
associated with this policy to perform all AWS IoT and AWS Greengrass operations. For more
information, see Create an AWS IoT Policy.
AWS Greengrass Example Scenario: Robot Arm

To help you understand how the AWS Greengrass core and its components t and work together, we
have created an end-to-end example scenario. This scenario is detailed and will take some time to
complete. If you are looking for a shorter, more high-level introduction, see AWS Greengrass User Guide.
Imagine a robot arm that moves boxes to a conveyor belt. This robot arm is controlled by a switch that
will turn it on or o. The robot arm's on/o state can be controlled from the cloud. We have two Lambda
functions. One function is for monitoring the robot arm state when it is turned on and o (uptime
Lambda). This represents a situation in which you might need to monitor the status of a device, such as
how many times its been powered on (a very basic example). This status is sent to the cloud where you
are able to see the data on an MQTT topic.
The messageLambda Lambda function accepts generic messages that control the robot arm from the
cloud and updates the local thing shadow associated with the robot arm device. The AWS Greengrass
core software synchronized the local thing shadow with the thing shadow in the cloud (AWS IoT).
Create AWS IoT Things

For this example scenario, use the AWS IoT console to create three things:
GGC_Thing to represent the AWS Greengrass core.

RobotArm_Thing to represent the robotic arm.
Switch_Thing to represent the switch on the robotic arm.
Note
The Lambda functions provided later in this tutorial use these case-sensitive names. If you
choose dierent names for your things, you must update the code for the Lambda functions,
device code, and subscription table.

An AWS Greengrass group is a collection of settings for AWS Greengrass cores and the devices that
communicate with them. An AWS Greengrass group is composed of a membership list, Lambda function
17
Create a Core Denition
list, and subscription denition. In this scenario, the group consists of your GGC_Thing, RobotArm_Thing,
Switch_Thing, your Lambda functions, and a list of the subscriptions between them. Start by creating an
AWS Greengrass group. You will add components to it later.
aws greengrass create-group --name "GreengrassGroupName"
The Greengrass group name is the name that will be displayed in the AWS Greengrass console. It
can change over time, but the ID (generated for you) cannot. The output from the create-group CLI
command will look like this:
{
"LastUpdatedTimestamp": "2017-05-17T17:43:18.815Z",
"CreationTimestamp": "2017-05-17T17:43:18.815Z",
"Id": "4462f873-9299-440b-a6d6-94cd9560bc6e",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/groups/4462f873-9299-440b-
a6d6-94cd9560bc6e"
"Name":"<GreengrassGroupName>"
}
Make a note of the Id in the create-group command output. You will need it later.
To get information about an AWS Greengrass group, you can use the get-group CLI command, passing in
the group ID:
aws greengrass get-group --group-id GroupId
The --group-id argument is the ID that is returned from the create-group CLI command.
The output from the aws greengrass get-group command will look like this:
{
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/groups/4462f873-9299-440b-
a6d6-94cd9560bc6e",
"Id": "4462f873-9299-440b-a6d6-94cd9560bc6e",
"Name": "<GreengrassGroupName>"
}
Now that your group has been created, create a core denition, a device denition, a Lambda function
denition, and a subscription denition. After these components are created, you will add them to the
group and deploy them to your AWS Greengrass core device.

An AWS Greengrass core denition is a list of AWS Greengrass cores that are members of the AWS
Greengrass group and its associated conguration data. Currently, you can only have one AWS
Greengrass core per list. This data species which devices are AWS Greengrass cores and which devices
should sync thing shadow data with AWS IoT. You must create a thing to represent your AWS Greengrass
core on AWS IoT. For this scenario, use the GGC_Thing AWS IoT thing to represent your AWS Greengrass
core device.
First, create a AWS Greengrass core list with the create-core-definition CLI command:
aws greengrass create-core-definition --name "CoreDefinitionName"
18
The --name argument species a name for the AWS Greengrass core denition.
The output from the create-core-definition CLI command will look like this:
{
"Id": "099d0333-3b37-451e-8d1c-745950ea8e27",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
cores/099d0333-3b37-451e-8d1c-745950ea8e27",
"Name": "<CoreDefinitionName>"
}
Now that you have created an AWS Greengrass core denition, create an AWS Greengrass core denition
version by adding an AWS Greengrass core to the denition:
aws greengrass create-core-definition-version --core-definition-id "<CoreDefinitionId>" --

cores '[{
"CertificateArn": "<GGC_Cert-Arn>",
"Id": "<CoreElementId>",
"SyncShadow": true,
"ThingArn": "<GGC_Thing-Arn>"
}]'
Arguments for the create-core command
--core-definition-id
The ID returned by the create-core-definition CLI command.

--cores
A list of JSON objects describing AWS Greengrass cores containing:

CertificateArn
The ARN of the core's certicate.

CoreElementId
An arbitrary ID for the core denition version.

SyncShadow
true if the core's shadow should be synchronized with the cloud. Otherwise, false.
ThingArn
The ARN for the AWS IoT thing that represents the AWS Greengrass core.
The output from the create-core-definition-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
cores/099d0333-3b37-451e-8d1c-745950ea8e27/versions/e20c9a13-d737-441e-9f44-b0e70b0357f4",
"Id" : "099d0333-3b37-451e-8d1c-745950ea8e27",
"Version" : "e20c9a13-d737-441e-9f44-b0e70b0357f4",
"CreationTimestamp" : "2017-05-17T17:57:01.449Z"
}
Save the ARN from the CLI command output. You will use it later to add the list to a group.
19
Create a Device Denition
You can view an AWS Greengrass core list version using the get-core-definition-version CLI
command:
aws greengrass get-core-definition-version --core-definition-id CoreDefinitionId --core-

definition-version-id <CoreDefinitionVersionId>
Arguments for the get-core-definition-version CLI command:
--core-denition-id
The AWS Greengrass core denition ID from the create-core-definition CLI command output.
--core-denition-version-id
The ID of the AWS Greengrass core denition version. In the preceding example, it would be
e20c9a13-d737-441e-9f44-b0e70b0357f4.
The output from the get-core-definition-version CLI command will look like this:
{
"Definition": {
"Cores": [
{
"CertificateArn": "arn:aws:iot:us-west-2:123451234510:cert/
b47d7b575e495d798ae0b83be87041b3b860e312105e40e2481527dd39918f49",
"ThingArn": "arn:aws:iot:us-west-2:123451234510:thing/
StorylineUpdate_Core",
"SyncShadow": true,
"Id": "base-core"
}
]
},
"Version": "e20c9a13-d737-441e-9f44-b0e70b0357f4",
"Id": "099d0333-3b37-451e-8d1c-745950ea8e27",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
cores/099d0333-3b37-451e-8d1c-745950ea8e27/versions/e20c9a13-d737-441e-9f44-b0e70b0357f4"
}

A device denition is a list of AWS Greengrass devices (things) that are members of the AWS Greengrass
group and associated conguration data. This data species which devices should sync local thing
shadow data with AWS IoT. The device list in this scenario consists of a robot arm and switch. Therefore,
you must add the RobotArm_Thing and Switch_Thing AWS IoT things to the device list.
First, create a device list:
aws greengrass create-device-definition --name "DeviceDefinitionName"
The --name argument species a name for the device denition.
The output from the create-device-definition CLI command will look like this:
{
"CreationTimestamp":"2017-05-17T00:00:00.000Z",
"Id":"c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
20
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/devices/
c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
"Name":"<DeviceDefinitionName>",
}
Next, create a device denition version by adding AWS IoT things to the list:
aws greengrass create-device-definition-version --device-definition-id

"<DeviceDefinitionId>" --devices '[
{
"Id": "<DeviceElementId>",
"CertificateArn": "<RobotArm-Cert-Arn>",
"SyncShadow": true,
"ThingArn": "<RobotArm_Thing-Arn>"
},
{
"Id": "<DeviceElementId>",
"CertificateArn": "<Switch-Cert-Arn>",
"SyncShadow": false,
"ThingArn": "<Switch_Thing-Arn>"
}
]'
Arguments for the create-device-definition-version CLI command
--device-definition-id
The ID of the device denition, returned from the create-device-definition CLI command. In the
preceding example, it would be c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd.
--devices
A list of JSON objects for each device in the device denition version.
Id
A ID for this entry in the list.

CertificateArn
The ARN of the device's certicate.

SyncShadow
true if the AWS Greengrass core's shadow should be synchronized with the cloud. Otherwise,
false.
ThingArn
The ARN of the device.
The output from the create-device-definition-version CLI command looks like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/devices/
c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd/versions/3c57969a-3a98-4092-8388-cece2b39f009",
"Id" : "c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
"Version" : "3c57969a-3a98-4092-8388-cece2b39f009",
}
Save the device denition version ARN from the CLI command output. You will use it later to add the list
to a group.
21
Modify the Policy for GGC_Thing,
Switch_Thing, and RobotArm_Thing
To view the device denition version, use the get-device-definition-version CLI command:
aws greengrass get-device-definition-version --device-definition-id DeviceDefinitionId --

device-definition-version-id "<DeviceDefinitionVersionId>"
Arguments to the get-device-definition-version CLI command:
--device-definition-id
The ID of the device denition, returned from the create-device-definition CLI command.
--device-definition-version-id
The ID of the device denition version, returned from the create-device-definition-version CLI
command.
The output from the get-device-definition-version CLI command looks like this:
{
"Definition": {
"Devices": [
{
"CertificateArn": "arn:aws:iot:us-west-2:123451234510:cert/
a2909c1e38379f82fedf89011c98613fef6fa96071c3dd64a297fde6a414e150",
"ThingArn": "arn:aws:iot:us-west-2:123451234510:thing/RobotArm_Thing",
"SyncShadow": true,
"Id": "robot-arm"
},
{
"CertificateArn": "arn:aws:iot:us-
west-2:123451234510:cert/62017e65eb92d502459ba0f06211ba49c68a9d4763dd1901e2ea4dc73048ef15",
"ThingArn": "arn:aws:iot:us-west-2:123451234510:thing/Switch_Thing",
"SyncShadow": false,
"Id": "switch"
}
]
},
"Version": "3c57969a-3a98-4092-8388-cece2b39f009",
"Id": "c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/devices/
c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd/versions/3c57969a-3a98-4092-8388-cece2b39f009"
}
You see that the SyncShadow eld for StorylineUpdate_RobotArm is set to true. This will sync the
local shadow status for StorylineUpdate_RobotArm. Whenever there's a shadow update for the
StorylineUpdate_RobotArm, it will also be reected in the AWS IoT shadow in the cloud .
Modify the Policy for GGC_Thing, Switch_Thing, and

RobotArm_Thing
Each device certicate has an AWS IoT policy attached to it. The policy determines what those devices
can do online. Update the policies for the AWS IoT things so they can automatically sync their shadow
status online and use discovery functionality. Use the AWS IoT console to update the policies for the
certicates attached to GGC_Thing, Switch_Thing, and RobotArm_Thing to look like this:
22
Create a Lambda Function Denition
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iot:*",
"greengrass:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
This allows AWS Greengrass to update the local shadow status with the cloud and AWS IoT devices to use
discovery functionality.

Now create a Lambda function denition. The Lambda function denition contains a list of functions
that will be deployed to your AWS Greengrass core. In our scenario, there are two simple Lambda
functions: uptime and message.
To make the Lambda functions available for Greengrass, you need to upload these Lambda functions
to the Lambda console. Make sure that you are accessing the Lambda console in the same region
as the Greengrass endpoint you are using. (If you are accessing Greengrass in the us-west-2 region,
use the Lambda console in the us-west-2 region.) Create two Lambda functions: uptimeLambda and
messageLambda.
Note
The source code for these Lambda functions are part of the AWS Greengrass Core SDK. You
can download it from the AWS IoT console. In the navigation pane, choose Software, and then
choose Download SDK for the AWS Greengrass Core SDK. Each Lambda function is contained in
a zip le located in the examples/Storyline directory of the AWS Greengrass Core SDK.
Using the AWS Lambda console, create a Lambda function and choose Blank Function. Do not congure
any triggers. Name the function uptimeLambda. For runtime, choose python 2.7. For Code entry type,
choose Upload a .ZIP le, and then browse to the storyline_uptimeLambda.zip le.
For Handler, type uptimeLambda.uptime_handler. Choose any existing role. The role is not important
here because AWS Greengrass doesn't use it. Review and then publish the function. Choose Actions,
choose Publish new version, and then choose Publish. The ARN for the published Lambda looks like
this: arn:aws:lambda:us-west-2:123451234510:function:uptimeLambda:1.
Associate a Lambda alias with this published version of your Lambda function. A Lambda alias is a
pointer to a specic Lambda function version. Aliases are mutable (that is, they can be changed) and can
be updated to point to dierent versions. For more information about Lambda aliases, see AWS Lambda
Developer Guideversioning-aliases.html. Using an alias allows you to update a Lambda function without
having to update subscriptions for each Greengrass group that references the Lambda function.
Note
The $LATEST alias is not supported for use with Greengrass.
From the Actions menu, choose Create alias. In Name, type "storyLineUptime", and choose the version
that was just published.
Note
A Lambda alias is a name given to a specic version of a Lambda function. Using an alias allows
the user to update the Lambda function without having to update the subscription table later.
You can use any alias except $LATEST which is used internally for work-in-progress deployments.
23
Make sure the alias is pointing to the correct version. It will be automatically resolved during Greengrass
deployment later.
Using the AWS Lambda console, create a Lambda function and choose Blank Function. Do not congure
any triggers. Name the function messageLambda. For runtime, choose python 2.7. For Code entry type,
choose Upload a .ZIP le, and then browse to the storyline_messageLambda.zip le that came with the
release. For Handler, type messageLambda.message_handler. Choose any existing role. The role is not
important because AWS Greengrass doesn't use it. Review the Lambda function and then publish it. From
the Actions menu, choose Publish new version, and then choose Publish. The ARN for the published
Lambda function looks like this: arn:aws:lambda:us-west-2:123451234510:function:messageLambda:1.
Associate an alias with the published version. From the Actions menu, choose Create alias. In Name,
type "storyLineMessage", and choose the version that was just published. Using an alias allows the user
to update the Lambda function without having to update the subscription table later. Make sure the alias
is pointing to the correct version. It will be automatically resolved during Greengrass deployment later.
Note
You will need the versioned ARN with either a version or an alias in order to build your function
list. Make sure you have published a version of your Lambda function and associated an alias
with it.
Use the create-function-definition CLI command to create a Lambda function denition:
aws greengrass create-function-definition --name "MyFunctionDefinition"
Arguments for the create-function-definition CLI command:
--name
A name for the Lambda function denition.
The output of the create-function-definition CLI command looks like:
{
"Id": "ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/functions/
ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Name": "<MyFunctionDefinition>"
}
Now, create a Lambda denition version by adding Lambda functions to the denition:
aws greengrass create-function-definition-version --function-definition-id

"<FunctionDefinitionId>"
--functions '[
{
"Id": "An arbitrary element ID.",
"FunctionArn": "<uptimeLambda-version-arn>",
"FunctionConfiguration": {
"Executable": "uptimeLambda.uptime_handler",
"MemorySize": 128000,
"Timeout": 3
}
},
{
"FunctionArn": "<messageLambda-version-arn>",
24
"Executable": "messageLambda.message_handler",
"Timeout": 3
}
}]'
Arguments to the create-function-definition-version CLI Command:
--function-definition-id
The ID of the function denition, returned from the create-function-definition CLI command. In
the preceding example, it would be ff44a4cf-a619-47c2-95b4-13c6daf8cf47 for this entry in the
list.
--functions
A list of JSON objects describing the functions that you are adding to the function denition.
Id
The element ID for this entry in the list.

FunctionArn
The ARN of the function version you are adding to the denition.
Note
The function version ARN must end in a version. For example "arn:aws:lambda:us-
west-2:$ACCOUNT:function:UptimeLambda:1" is a valid function version ARN.
FunctionConfiguration
Conguration information for the function you are adding to the denition.
Executable
The name of the Lambda function handler.

MemorySize
The amount of memory to allocate for execution of the Lambda function.

Timeout
The timeout, in seconds, for the Lambda function.
The output from the create-function-definition-version CLI command looks like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/lambdas/
ff44a4cf-a619-47c2-95b4-13c6daf8cf47/versions/8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3",
"Id" : "ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Version" : "8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3",
}
Make a note the ARN of the Lambda denition version. You will need it later.
You can view the Lambda function list using the get-function-version CLI command.
aws greengrass get-function-definition-version --function-definition-id

"<FunctionDefinitionId>"
--function-definition-version-id "<FunctionDefinitionVersion>"
25
Create a Subscription Denition
Arguments for the get-function-definition-version CLI command:
--function-definition-id
The ID of the Lambda denition.

--function-definition-version-id
The ID of the function denition version.
The output of the get-function-definition-version CLI command will look like this:
{
"Definition": {
"Functions": [
{
"Executable": "messageLambda.message_handler",
"Timeout": 3
},
"Id": "message-lambda",
"FunctionArn": "arn:aws:lambda:us-
west-2:123451234510:function:messageLambda:storyLineMessage"
},
{
"Executable": "uptimeLambda.uptime_handler",
"Timeout": 3
},
"Id": "uptime-lambda",
"FunctionArn": "arn:aws:lambda:us-
west-2:123451234510:function:uptimeLambda:storyLineUptime"
}
]
},
"Version": "8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3",
"Id": "ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/lambdas/
ff44a4cf-a619-47c2-95b4-13c6daf8cf47/versions/8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3"
}

The subscription denition is a collection of subscriptions to be deployed to the AWS Greengrass group.
These subscriptions dictate how messages will be sent and received within the AWS Greengrass group.
Messages are sent between a source and a target only if there is a subscription for the source and target
in the subscription denition.
First, create a subscription denition using the create-subscription-definition CLI command:
aws greengrass create-subscription-definition --name "MySubscriptionDefinition"
The --name argument species the name of the subscription denition.
The output of create-subscription-definition command looks like this:
26
"Id": "17d6cb13-3745-496c-9187-29316b37115e",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
subscriptions/17d6cb13-3745-496c-9187-29316b37115e",
"Name": "<MySubscriptionDefinition>"
}
Now create a version of the subscription denition by adding subscriptions:
aws greengrass create-subscription-definition-version --subscription-definition-id

"<SubscriptionDefinitionId>" --subscriptions '[
{
"Id": "1",
"Source": "<Switch_Thing-arn>",
"Subject": "$aws/things/RobotArm_Thing/shadow/update",
"Target": "GGShadowService"
},
{
"Id": "2",
"Source": "<RobotArm_Thing-arn>",
"Subject": "/topic/state",
"Target": "<uptimeLambda-arn>"
},
{
"Id": "3",
},
{
"Id": "4",
"Source": "GGShadowService",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/delta",
"Target": "<RobotArm_Thing-arn>"
},
{
"Id": "5",
"Source": "<uptimeLambda-arn>",
"Subject": "/topic/metering",
"Target": "cloud"
},
{
"Id": "6",
"Source": "<messageLambda-arn>",
},
{
"Id": "7",
"Source": "cloud",
"Subject": "/topic/update",
"Target": "<messageLambda-arn>"
},
{
"Id": "8",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted",
"Target": "<Switch_Thing-arn>"
},
{
"Id":"9",
"Source":"GGShadowService",
"Subject":"$aws/things/RobotArm_Thing/shadow/update/rejected",
"Target": "<Switch_Thing-arn>"
27
},
{
"Id":"10",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted",
},
{
"Id":"11",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/rejected",
}
]'
Arguments for the create-subscription-definition-version CLI command:
--subscription-definition-id
The subscription denition ID.

--subscriptions
A JSON object that denes the subscription.

Id

Source
The source of the message.

Subject
The MQTT topic used to lter messages.

Target
The recipient of the message.
The output from the create-subscription-definition-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
subscriptions/17d6cb13-3745-496c-9187-29316b37115e/versions/0ad227b8-3d1d-43f6-
bcc9-446201386e69",
"Id" : "17d6cb13-3745-496c-9187-29316b37115e",
"Version" : "0ad227b8-3d1d-43f6-bcc9-446201386e69",
}
You can view a subscription denition using the get-subscription-definition-version CLI command:
aws greengrass get-subscription-definition-version --subscription-definition-id

"<SubscriptionDefinitionId>"
--subscription-definition-version-id "<SubscriptionDefinitionVersion>"
Arguments for the get-subscription-definition-version CLI command:
--subscription-definition-id
The subscription denition ID.
28
--subscription-definition-version-id
The ID of the subscription denition version.
The output of the get-subscription-definition-version CLI command will look like this:
{
"Definition": {
"Subscriptions": [
{
"Source": "<Switch_Thing-arn>",
"Target": "GGShadowService",
"Id": "1",
"Subject": "$aws/things/RobotArm_Thing/shadow/update"
},
{
"Target": "<RobotArm_Thing-arn>",
"Id": "10",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted"
},
{
"Id": "11",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/rejected"
},
{
"Target": "<uptimeLambda-arn>",
"Id": "2",
"Subject": "/topic/state"
},
{
"Id": "3",
},
{
"Id": "4",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/delta"
},
{
"Source": "<uptimeLambda-arn>",
"Target": "cloud",
"Id": "5",
"Subject": "/topic/metering"
},
{
"Source": "<messageLambda-arn>",
"Id": "6",
},
{
"Source": "cloud",
"Target": "<messageLambda-arn>",
"Id": "7",
"Subject": "/topic/update"
},
{
29
Create a Logger Denition
"Target": "<Switch_Thing-arn>",
"Id": "8",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted"
},
{
"Target": ,
"Id": "9",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/rejected"
}
]
},
"Version": "0ad227b8-3d1d-43f6-bcc9-446201386e69",
"Id": "17d6cb13-3745-496c-9187-29316b37115e",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
subscriptions/17d6cb13-3745-496c-9187-29316b37115e/versions/0ad227b8-3d1d-43f6-
bcc9-446201386e69"
}

A logger list denes where to store the logs generated by the AWS Greengrass core and your Lambda
functions. The logs can be stored on the le system of the AWS Greengrass core hardware or on Amazon
CloudWatch. In this example, set it to be stored on the AWS Greengrass core hardware.
First, create a logging denition:
aws greengrass create-logger-definition --name "MyLoggerDefinition"
The --name argument species a name for the logger denition.
The output from the create-logger-definition CLI command will look like this:
{
"Id": "beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Arn":"arn:aws:greengrass-us-west-2:123451234510:/greengrass/definition/loggers/
beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Name": "<MyLoggerDefinition>"
}
Next, create a logger denition version:
aws greengrass create-logger-definition-version --logger-definition-id

"<LoggerDefinitionId>"
--loggers '[
{
"Id": "<LoggerElementId>",
"Component": "GreengrassSystem",
"Level": "INFO",
"Space": 5120,
"Type": "FileSystem"
},
{
"Id": "<LoggerElementId>",
"Component": "Lambda",
"Level": "DEBUG",
30
"Space": 5120,
"Type": "FileSystem"
}]'
Arguments for the create-logger-definition-version CLI command:
--logger-definition-id
The logger denition ID.

--loggers
A list of JSON objects that dene the loggers.

Id

Component
The logging component. Valid values are GreengrassSystem or Lambda.

Level
The logging level. Valid values are DEBUG, INFO, WARN, ERROR, FATAL.
Space
The maximum space, in KB, to be used by logs for this logger.

Type
The type of logger. Valid values are FileSystem or AWSCloudwatch.
The output from the create-logger-definition-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/logging/
beab53cc-098c-4ad2-ac7c-45a70fbde559/versions/ca679860-e5a1-4872-88f6-99a4ca988fc3",
"Id" : "beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Version" : "ca679860-e5a1-4872-88f6-99a4ca988fc3",
}
Save the output of create-logger-definition-version. You will use the "Arn" eld to add the list to
the group later.
To view the logging list version you just created, run the get-logging-list-version CLI command:
aws greengrass get-logger-definition-version --logger-definition-id "<LoggerDefinitionId>"

--logger-definition-version-id "<LoggerDefinitionVersion>"
Arguments for the create-logger-definition-version CLI command:
--logger-definition-id
The logger denition ID.

--logger-definition-version-id
The ID of the logger denition version.
The output from the get-logger-definition-version CLI command will look like this:
31
Update Your Group
{
"Definition": {
"Loggers": [
{
"Type": "FileSystem",
"Space": 5120,
"Id": "lambda-logs",
"Level": "DEBUG"
},
{
"Space": 5120,
"Id": "system-logs",
"Level": "INFO"
}
]
},
"Version": "ca679860-e5a1-4872-88f6-99a4ca988fc3",
"Id": "beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/logging/
beab53cc-098c-4ad2-ac7c-45a70fbde559/versions/ca679860-e5a1-4872-88f6-99a4ca988fc3"
}
Update Your Group

Update your AWS Greengrass group with your AWS Greengrass core, device, Lambda functions,
subscription and logging denitions.
aws greengrass create-group-version --group-id "<GroupId>"

--core-definition-version-arn "<CoreDefinitionVersionArn>"
--function-definition-version-arn "<FunctionDefinitionVersionArn>"
--device-definition-version-arn "<DeviceDefinitionVersionArn>"
--logger-definition-version-arn "<LoggerDefinitionArn>"
--subscription-definition-version-arn "<SubscriptionDefinitionArn>"
Arguments for the create-group-version
--group-id
The group ID.

--core-definition-version-arn
The ARN of the AWS Greengrass core denition version.

--function-definition-version-arn
The ARN of the function denition version.

--device-definition-version-arn
The ARN of the device denition version.

--logger-definition-version-arn
The ARN of the logger denition version.

--subscription-definition-version-arn
The ARN of the subscription denition version.
32
Create a Deployment
The output of the create-group-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/
groups/4462f873-9299-440b-a6d6-94cd9560bc6e/versions/33210262-2b2d-47c1-913c-657fc7d08513",
"Id" : "4462f873-9299-440b-a6d6-94cd9560bc6e",
"Version" : "33210262-2b2d-47c1-913c-657fc7d08513",
}
Create a Deployment
Now that your AWS Greengrass group is created and populated with a core denition, a device denition,
a Lambda function denition, and a subscription denition, you can deploy the group conguration to
your AWS Greengrass core device.
aws greengrass create-deployment --deployment-type NewDeployment --group-id GroupId --

group-version-id GroupVersionId
Arguments for the create-deployment CLI command:
--group-id
The group ID.

--group-version-id
The group version ID of the group you want to deploy. Each group will have a version that
corresponds to dierent group changes you have made.
The output of the create-deployment CLI command will look like this:
{
"DeploymentId": "4db95ef8-9309-4774-95a4-eea580b6ceef",
"DeploymentArn": "arn:aws:greengrass:us-west-2:106511594199:/greengrass/groups/
b744ed45-a7df-4227-860a-8d4492caa412/deployments/4db95ef8-9309-4774-95a4-eea580b6ceef"
}
You can check the status of the deployment with the get-deployment-status CLI command:
aws greengrass get-deployment-status --deployment-id DeploymentId --group-id GroupId
Arguments for the get-deployment-status CLI command:
--deployment-id
The deployment ID.

--group-id
The group ID.
The output of the get-deployment-status CLI command will look like this:
{
"DeploymentStatus": "Success",
"UpdatedAt": "2017-04-04T00:00:00.000Z"
33
Updating the Connectivity Information Service
The DeploymentStatus is set to Building when the deployment is being prepared. When the deployment
is ready but the AWS Greengrass core has not picked up the new deployment, the DeploymentStatus is
InProgress.
Updating the Connectivity Information Service

The Connectivity Information Service (CIS) stores the connectivity information for the AWS Greengrass
core associated with your group. In order for your AWS IoT devices to connect to a AWS Greengrass core,
they need to discover the connectivity information associated with the AWS Greengrass core. Use the
update-connectivity-info CLI command to get the location of the AWS Greengrass core:
aws greengrass update-connectivity-info --thing-name "<CoreThingName>" --connectivity-info

'[
{
"Id": "<ConnectivityInfoElementId>",
"HostAddress": "<CoreEndpoint>",
"PortNumber": <port>,
"Metadata": "<description>"
}]'
--thing-name
The name of your AWS Greengrass core AWS IoT thing (for example, GGC_Thing).
--connectivity-info
Connectivity infomation for the AWS Greengrass core:

Id

HostAddress
The IP address of your AWS Greengrass core.

PortNumber
The port for your AWS Greengrass core (for example, 8883).
Metadata
Custom data. Optional.
The output of the update-connectivity-info CLI command will look like this:
{
"Version": "6ffc9b20-4ce0-427e-9c8c-403459f92d02"
}
Device Conguration
Download the AWS IoT Device SDK for C++ on Github. Inside the folder named samples you will nd the
examples for this scenario.
The code running on our two devices, switch and robot arm, was built using the AWS IoT Device SDK
for C++. The package includes a version of the SDK and the switch and robot arm samples. Follow these
instructions to compile the devices on your AWS Greengrass core:
34
Device Conguration
1. Unzip the AWSSDK le into any folder.

2. Change to the repository folder. Create a folder namedbuildto hold the build les and change to
this folder. In-source builds are not allowed.
3. Run cmake ../. to build the SDK with the CLI.
The command downloads required third-party libraries and generates a makele.

4. Type make robot-arm-sample.
5. Type make switch-sample.
After the device code is compiled, the device binaries are located in the /aws-iot-device-sdk-cpp/
build/bin directory. In order to connect to AWS IoT and retrieve the connectivity information of your
AWS Greengrass core, your devices need certicates to authenticate with AWS IoT. These certicates are
the same certicates you downloaded when you created your device things on AWS IoT.
Copy the certicates you downloaded for your RobotArm_Thing into the /aws-iot-device-sdk-cpp/
build/bin/certs/robotArm/ folder. The certicate and private key are used to authenticate the device
with AWS IoT. Download the AWS IoT CA certicate from VeriSign Class 3 Public Primary G5 root CA
certicate. Rename this le root-ca.pem and place it in the /certs/robotArm/ folder. The root-ca.pem is
used by the device to verify the identity of the AWS IoT service. Copy the certicate and private key you
downloaded for your Switch_Thing into /aws-iot-device-sdk-cpp/build/bin/certs/switch/ folder
along with a copy of root-ca.pem.
Inside the /aws-iot-device-sdk-cpp/build/bin/config/ directory, you will see two les:
RobotArmConfig.json
SwitchConfig.json
Open these les and change the root_ca_relative_path, device_certificate_relative_path, and

device_private_key_relative_path values to the relative paths of the AWS IoT root CA certicate, your
private key, and your thing certicate.
Conguring the Robot Arm Device

Set the following conguration values in /aws-iot-dev-sdk-cpp/build/bin/config/
RobotArmConfig.json:
endpoint
The IP address or domain name of the AWS IoT endpoint:

greengrass.iot.AWS_REGION.amazonaws.com.
root_ca_relative_path
certs/robotArm/root-ca.pem, the root CA certicate for AWS IoT.

device_certificate_relative_path
certs/robotArm/RobotArm_Thing-cert, the device certicate for the RobotArm_Thing.

device_private_key_relative_path
certs/robotArm/RobotArm_Thing-private-key, the private key for the RobotArm_Thing.
If you used a dierent name for the AWS IoT thing that represents the robotic arm, replace client_id
and thing_name with the name you are using. You must also make changes in Lambda functions and
device codes.
35
Running the Scenario
Conguring the Switch Device

Set the following conguration values in /aws-iot-dev-sdk-cpp/build/bin/config/SwitchConfig.json:
endpoint
The IP address or domain name of the AWS IoT endpoint. For the production environment, the
endpoint is greengrass.iot.AWS_REGION.amazonaws.com.
root_ca_certificate_path
certs/switch/root-ca.pem, the root CA certicate for AWS IoT.

device_certificate_relative_path
certs/switch/Switch_Thing-cert, the device certicate for the Switch_Thing.

device_private_key_relative_path
certs/switch/Switch_Thing-private-key, the private key for the Switch_Thing.
If you used a dierent name for the AWS IoT thing that represents the switch, replace client_id and
thing_name with the name you are using. You must also make changes in Lambda functions and device
codes. Now run the devices!
Running the Scenario

Now you are ready to run the AWS Greengrass core software and the code running on the robotic arm
and switch devices.
Run Greengrass
To run the AWS Greengrass core with the storyline conguration, see Run the AWS Greengrass
Core Software (p. 16). When the deployment is complete, you can see your uptimeLambda and
messageLambda functions deployed in the /greegrass/lambda/ folder.
Run the Device Code

To run the robot arm device, change to the /aws-iot-device-sdk-cpp/build/bin directory and run the
command ./robot-arm-sample. This starts the robot arm device. This device publishes its starting state
to the cloud (o) and waits for updates. When its state gets changed, it publishes a message on the /
topic/metering topic. You should be subscribed to this topic so you can monitor changes to it.
To run the switch sample, change to the /aws-iot-device-sdk-cpp/build/bin directory, and then run
the ./switch-sample command. The device prompts you to enter 1 for on, 0 for o, and q for quit. Type
1, and then press Enter. This updates the state of the robot arm to on. Type 0 to turn the state of the
robot arm to o. Type q to quit this program. When you turn the robot arm on and o, you should see
the state change on the robot arm device terminal where the program is running.
The robot arm is congured to sync its local shadow state with the cloud shadow. When its state
changes, the cloud shadow is updated automatically. To check its state, in the AWS IoT console, navigate
to the thing details page for RobotArm_Thing , and then choose the Shadow link.
If the AWS Greengrass core has an active internet connection, go to the AWS IoT console to view
messages that are being published by your Lambda functions. Use the test functionality in the AWS
IoT console to subscribe to the/topic/metering topic. If your AWS Greengrass core has an internet
connection, the state of the robot arm is published to this topic.
To control the robot arm from the cloud, you can publish the following messages to the /topic/update
topic:
36
Tutorial: Deploying a Simple Lambda
Function to AWS Greengrass
To turn the switch on, publish {"state":"on"}.
To turn the switch o, publish {"state":"off"}.
If you receive an error code, you can nd out more details about the nature of the error code by
searching through ResponseCode.hpp. This le can be found in either of the following locations:
On your device: aws-iot-device-sdk-cpp/include/ResponseCode.hpp
On GitHub: ResponseCode.hpp
Tutorial: Deploying a Simple Lambda Function to

AWS Greengrass
This tutorial will help you get started with AWS Greengrass. You'll use the AWS Greengrass console to
create an AWS Greengrass group and an AWS Greengrass core. Then, you'll deploy a Lambda function
that returns data and shows that your group is working as expected. To complete the steps in this
tutorial, you will need a device that meets the following requirements:
Supported platform:
Armv7l
Raspberry Pi 3 Model B - Raspbian Jessie 2017-03-02
X86_64
Amazon EC2 Instance - Amazon Linux - amzn-ami-hvm-2016.09.1.20170119-x86_64-ebs
AARCH64
Annapurna Alpine V2 Platform-on-Chip uATX Development Board with Ubuntu 14.04 Kernel 4.1.3
with the following enabled:
CONFIG_DEVPTS_MULTIPLE_INSTANCES
CONFIG_OF_OVERLAY
CONFIG_OVERLAY_FS
CONFIG_POSIX_MQUEUE
CONFIG_SECCOMP
CONFIG_SECCOMP_FILTER
CONFIG_HAVE_ARCH_SECCOMP_FILTER
This is a special Ubuntu 14.04 built by Annapurna.

Linux kernel version 4.4.11+ with OverlayFS and user namespace enabled.
Glibc library version 2.14
Python version 2.7
SQLite version 3 or later
Minimum 128 MB RAM
Create an AWS Account

If you don't have an AWS account, follow these steps:
1. Open the AWS home page, and choose Create an AWS Account.
2. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call and
entering a PIN using your phone keypad.
37
Sign in to the AWS Greengrass Console
Sign in to the AWS Greengrass Console

1. Sign in to the AWS Management Console.
2. Open the AWS IoT console using the console search.
Create an AWS Greengrass Group and AWS

Greengrass Core
An AWS Greengrass group is a cloud-congured and managed collection of local devices and Lambda
functions that can be programmed to communicate with each other through an AWS Greengrass core
device.
1. From the navigation pane, choose Greengrass.
2. On the AWS Greengrass page, choose Get Started.
38
Create an AWS Greengrass
Group and AWS Greengrass Core
Create a Greengrass Group

In an AWS Greengrass application, devices are placed into AWS Greengrass groups. An AWS Greengrass
group contains information about the devices and how messages are processed in the AWS Greengrass
group. Each AWS Greengrass group requires an AWS Greengrass core that processes messages sent
within the group. An AWS Greengrass core needs a certicate and an AWS IoT policy to access AWS
Greengrass and AWS IoT cloud services. On the Set up your Greengrass group page, choose Use easy
creation.
39
1. Type a name for your group, and then choose Next.
2. Use the default name for your AWS Greengrass core, and then choose Next.
40
3. Choose Create Group and Core.
4. Click the links to download the private key, public key, and certicate for your AWS Greengrass core.
41
5. Choose the CPU architecture your AWS Greengrass core will be running, and then choose Download
Greengrass to download the Greengrass software package. When the download is complete, choose
Finish.
42
Congure and Start Your Greengrass Core Device

This section describes how to congure and start your AWS Greengrass core device for the Raspberry Pi,
Amazon EC2 instance, or Annapurna platforms.
Preparing a Raspberry Pi for Greengrass (p. 43)
Preparing an Amazon EC2 Instance for AWS Greengrass (p. 44)
Preparing an Annapurna aarch64 with Ubuntu 14.04 (p. 45)
Preparing a Raspberry Pi for Greengrass

Follow these steps to prepare your Raspberry Pi for running the AWS Greengrass core software.
To run the AWS Greengrass core software
sudo adduser --system ggc_user

sudo addgroup --system ggc_group
2. Use the following commands to update your Raspberry Pi kernel to 4.9:
43
sudo apt-get install rpi-update

sudo rpi-update
3. Use the following command to install sqlite3:
sudo apt-get install sqlite3
Hardlink/softlink protection
Follow these steps.
1. Set system variables by adding the following two lines to /etc/sysctl.d/98-rpi.conf:
If the le /etc/sysctl.d/98-rpi.conf doesn't exist, follow the instructions in /etc/sysctl.d/

README.sysctl.
sudo reboot
Preparing an Amazon EC2 Instance for AWS Greengrass

Follow these steps to prepare your Amazon EC2 instance for running the AWS Greengrass core software.
Use the following commands to add a user named ggc_user and a group named ggc_group:
sudo useradd -r ggc_user

sudo groupadd -r ggc_group
Hardlink/softlink protection
Follow these instructions.
1. Set system variables by adding the following two lines to /etc/sysctl.d/00-defaults.conf:
44
Copy and Extract the Greengrass
Software Package onto Your Core Device
If the le /etc/sysctl.d/00-defaults.conf doesn't exist, follow the instructions in /etc/sysctl.d/

README.sysctl.
sudo reboot

Follow these steps to prepare your Annapurna aarch64 with Ubuntu 14.04 for running the AWS
1. Use the following commands to add ggc_user and ggc_group:
sudo useradd ggc_user

sudo groupadd ggc_group
2. Use the following commands to install missing dependencies:
apt-get update
apt-get install sqlite3
3. Set up cgroups:

cgroupfs-mount
Copy and Extract the Greengrass Software Package

onto Your Core Device
1. Determine the IP address of the device where you will install the AWS Greengrass core software.
2. The Greengrass software package will be named as follows:
greengrass-platform-version.tar.gz
45
Install Certicates on Your AWS Greengrass Core Device
Use the scp command to copy the Greengrass software package into the home directory of your
AWS Greengrass core device:
scp greengrass-linux-armv7l-1.0.0-release.tar.gz HOST_NAME@IP_ADDRESS:~
Note
Replace the IP_ADDRESS used in this command with the IP address of your AWS Greengrass
core device. In this example, we are using the Greengrass software package for Raspberry Pi
3.
3. On your AWS Greengrass core device, use the following command to expand the package:
sudo tar -zxf greengrass-<os-name>-<platform-type>-<version>.tar.gz -C /
Install Certicates on Your AWS Greengrass Core

Device
1. Download the AWS IoT root CA certicate from Symantec/Verisign.
2. Copy the AWS Greengrass core's private key and certicate and the AWS IoT root CA certicate
into the /greengrass/configuration/certs directory of your AWS Greengrass core device. Use the
following names:
File Description
cloud.pem.crt The AWS Greengrass core certicate

downloaded from the console (for example,
61970a435c-certicate.pem.crt).
cloud.pem.key The private key downloaded from the console

(for example, 61970a435c-private.pem.key).
root-ca.pem The AWS IoT root CA certicate from Symantec.
Note
You can use the scp command to copy the les to your AWS Greengrass core device.
By default, you do not have permission to copy the les directly to /greengrass/
configuration/certs. To work around this, copy the les to your user directory and
then use sudo mv file-name to move the les to the /greengrass/configuration/certs
directory.
Congure Your Greengrass Core

You need to associate your AWS Greengrass core with the AWS IoT thing you created for it. You do that
by using the thing's ARN, the unique identier assigned in the cloud to your AWS Greengrass core device
when you provisioned it.
1. Find the thing ARN for your AWS Greengrass core. In the AWS Greengrass console, from the
navigation page, choose Groups.
46
2. Choose your group to display its detail page.
3. In the navigation pane, choose Cores.
47
4. Choose your AWS Greengrass core to display its detail page.
5. Copy the ARN of your AWS Greengrass core.
48
6. On your AWS Greengrass core device, open the /greengrass/configuration/config.json le. It will
initially look like this:
{
"coreThing": {
"caPath": "<ROOT_CA_PEM_HERE>",
"certPath": "<CLOUD_PEM_CRT_HERE>",
"keyPath": "<CLOUD_PEM_KEY_HERE>",
"thingArn": "<THING_ARN_HERE>",
"iotHost": "<HOST_PREFIX_HERE>.iot.<AWS_REGION_HERE>.amazonaws.com",
"ggHost": "greengrass.iot.<AWS_REGION_HERE>.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "[yes|no]"
}
}
}
Update the le with the following content:
{
"coreThing": {
"caPath": "root-ca.pem",
"certPath": "cloud.pem.crt",
"keyPath": "cloud.pem.key",
"thingArn": arn:aws:iot:us-west-2:049039099382:thing/GGTestGroup42_Core",
"iotHost": "your-AWS-IoT-endpoint,
"ggHost": "greengrass.iot.us-west-2.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "yes"
}
}
49
Start Your AWS Greengrass Core to Connect It to the Cloud
Attribute Description
caPath The path to the AWS IoT root CA certicate.
certPath The path to the AWS Greengrass core

certicate.
keyPath The path to the AWS Greengrass core private

key.
thingArn The ARN of the AWS IoT thing associated with

your AWS Greengrass core.
iotHost Your AWS IoT endpoint. Can be obtained using

the aws iot describe-endpoint CLI command
or in the Settings section of the AWS IoT
console.
ggHost A fully qualied AWS Greengrass host address.

Replace us-west-2 with the AWS region you are
using.
Start Your AWS Greengrass Core to Connect It to the

Cloud
Run the following command from the /greengrass directory to start your core and enable a cloud
connection to AWS IoT.
sudo ./greengrassd start
If the Greengass daemon starts successfully, you should see the following output:
sudo /greengrass/greengrassd start

Setting up greengrass daemon
Validating execution environment
ggc_group:x:119:
Found cgroup subsystem: cpu
Found cgroup subsystem: cpuacct
Found cgroup subsystem: blkio
Found cgroup subsystem: memory
Found cgroup subsystem: devices
Found cgroup subsystem: freezer
Found cgroup subsystem: net_cls
Starting greengrass daemon
PID: 1306
Greengrass daemon started
If you see the following error,
The cgroup subsystem is not mounted: cpuset
run this script to mount enabled cgroups:
50
Create a "Hello World" Lambda Function

cgroupfs-mount
Note
Linux control groups (cgroups) are used to limit the resources that can be accessed by Lambda
functions that run on your AWS Greengrass core device.
You can automatically recongure the Lambda cgroup when you reboot your AWS Greengrass
core device by adding cgroup /sys/fs/cgroup cgroup defaults 0 0 to the /etc/fstab le on
your AWS Greengrass core device.

AWS Greengrass cores can run Lambda functions in response to messages sent by your devices (or other
Lambda functions). You will now create a Lambda function that you will add to your AWS Greengrass
group and then deploy it to your AWS Greengrass core.
1. From the Service drop-down menu, navigate to the AWS Lambda console.
2. In the Lambda console, choose Create a Lambda function.
51
3. In the Filter text box, type Greengrass, and then choose the greengrass-hello-world Lambda
function blueprint.
4. Choose Next.
5. For Name, type HelloWorld. For Runtime, choose Python 2.7.
6. Scroll down until you see Lambda function handler and role. For Role, select Choose an existing
role. For Existing role, select any role. If you don't have a role, select Create a new role from
template(s), and then choose any template from the Policy templates drop-down list. Choose Next.
52
7. On the Review page, choose Create function.
53
Add the Lambda Function to Your Group Denition
8. Now you need to publish a new version of the Hello World Lambda function. From the Actions
menu, choose Publish new version.
9. In Version description, type Test, and then choose Publish.

Next, you are going to add the Hello World Lambda function to your group denition. After is is
deployed locally, that function sends data back to the AWS IoT platform and shows you have a deployed
a functioning core.
1. In the AWS IoT console, choose Greengrass, and then choose Groups.
2. Select the tile for your group.
3. In the navigation pane, choose Lambdas, and then choose Add your rst Lambda.
54
4. Choose Use existing Lambda.
5. Select the Hello World Lambda function you created eariler, and then choose Next.
55
Congure the HelloWorld Lambda Function
6. Select the version of the Hello World Lambda function to use, and then choose Finish.
Congure the HelloWorld Lambda Function

Congure the HelloWorld to be a long-running Lambda function.
1. In the AWS Greengrass console, choose Lambdas, and then choose the HelloWorld Lambda
function.
56
Add a Subscription to Your Group Denition
2. In the upper-right corner of the Lambda tile, choose the ellipsis, and then choose Edit
Conguration.
3. Under Lambda lifecycle, select Make this function long-lived and keep it running indenitely, and
then choose Update.

AWS Greengrass cores can pass messages between devices, Lambda functions, and AWS using the MQTT
protocol. An AWS Greengrass group controls how these components interact using subscriptions that
enable more security and predictable interactions. A subscription consists of a source, target, and topic.
The source is the originator of the message. The target is the destination of the message. The topic
allows you to lter the data that is sent from the source to the target.
1. In the AWS Greengrass console, nd your group, and then select it.
2. On the group details page, choose Subscriptions.
3. Choose Add your rst Subscription.
57
4. Under Select a source, choose your HelloWorld Lambda function.
58
5. Under Select a target, choose IoT Cloud.
59
6. Choose Next.
7. A topic lter can be used to control which data is made available for the target. By default,
subscriptions use a wildcard topic ("#") and will pass all information from the source to the target.
60
Deploy Your Group
You will now add hello/world as the topic lter for this subscription. In Optional topic lter, type
hello/world, and then choose Next.
8. Choose Finish to conrm and save your subscription.
Deploy Your Group

You have created a group and a core denition, but this information exists only in the cloud. Deploying a
group takes this conguration information and copies it onto your AWS Greengrass core device.
61
Deploy Your Group
1. In the AWS Greengrass console, choose Groups, choose your group, and then choose Deployments.
2. From the Actions menu, choose Deploy.
3. On the Congure how Devices discover your Core page, choose Automatic detection.
4. On the Grant permission to access other services page, choose Grant permission.
62
Verify the Lambda Function Is Running on Your Core Device
Your deployment might take a couple of minutes. You will know the deployment was successful when a
Deployment successfully completed message is displayed in the group details page:
Verify the Lambda Function Is Running on Your Core

Device
In the AWS IoT console, choose Test.
63
In Subscription topic, type hello/world, and then choose Subscribe to topic to subscribe to the hello/
world topic.
If the hello world Lambda function is running on your AWS Greengrass core device, it publishes
messages to the hello/world topic and is displayed in the AWS IoT console:
64
65
Request
Greengrass Discovery RESTful API
All devices that communicate with an AWS Greengrass core must be a member of a Greengrass
group. Each group must have an AWS Greengrass core. The Discovery API enables devices to retrieve
information required to connect to an AWS Greengrass core that is in the same Greengrass group as the
device. When a device rst comes online, it can connect to the AWS Greengrass cloud service and use the
Discovery API to nd:
The group to which it belongs.

The IP address and port for the AWS Greengrass core in the group.
The group's root CA certicate, which can be used to authenticate the AWS Greengrass core device.
To use this API, send HTTP requests to the following URI:
https://your-aws-endpoint/greengrass/discover/thing/thing-name
The endpoint is specic to your AWS account. To retrieve your endpoint, use theaws iot describe-
endpoint CLI command:
$ aws iot describe-endpoint

{
"endpointAddress": "a1b2c3d4e5f6g7.iot.us-west-2.amazonaws.com"
}
Use port 8443 when connecting. For a list of region-specic endpoints, see AWS IoT Regions and
Endpoints in the AWS General Reference. This is a data plane only API. The endpoints used for working
with rules, certicates, and policies do not support the Discovery API.
Request
The request contains the standard HTTP headers and is sent to the following URI:
HTTP GET https://your-aws-endpoint/greengrass/discover/thing/thingName
66
Response
Response
Response
Upon success, the response includes the standard HTTP headers plus the following code and body:
HTTP 200
BODY: response document
For more information see, Example Discover Response Documents (p. 67).
Authorization
Retrieving the connectivity information requires a policy that allows the caller to perform
thegreengrass:Discoveraction. TLS mutual authentication with a client certicate is the only accepted
form of authentication. The following is an example policy that allows a caller to perform this action:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "greengrass:Discover",
"Resource": ["arn:aws:iot:aws-region:aws-account:thing/thing-name"]
}]
}
Example Discover Response Documents

The following document shows the response for a device that is a member of a group with one AWS
Greengrass core, one endpoint, and one group CA:
{
"GGGroups": [
{
"GGGroupId": "gg-group-01-id",
"Cores": [
{
"thingArn": "core-01-thing-arn",
"Connectivity": [
{
"id": "core-01-connection-id",
"hostAddress": "core-01-address",
"portNumber": core-01-port,
"metadata": "core-01-description"
}
]
}
],
"CAs": [
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----"
]
}
]
}
67
Example Discover Response Documents
The following document shows the response for a device that is a member of two groups with one AWS
Greengrass core, multiple endpoints, and multiple group CAs:
{
"GGGroups": [
{
"Cores": [
{
"thingArn": "core-01-thing-arn",
"Connectivity": [
{
"metadata": "core-01-connection-1-description"
},
{
"id": "core-01-connection-id-2",
"hostAddress": "core-01-address-2",
"portNumber": core-01-port-2,
}
]
}
],
"CAs": [
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----",
]
},
{
"Cores": [
{
"thingArn":"core-02-thing-arn",
"Connectivity" : [
{
}
],
"CAs": [
]
}
]
}
}
Note
An AWS Greengrass group must dene exactly one AWS Greengrass core. Any response from the
AWS Greengrass cloud service that contains a list of AWS Greengrass cores only contains one
AWS Greengrass core.
68
AWS Greengrass Security
AWS Greengrass uses X.509 certicates, managed subscriptions, AWS IoT policies, and IAM policies and
roles to ensure your Greengrass applications are secure. AWS Greengrass core devices require an AWS IoT
thing, a device certicate, and an AWS IoT policy to communicate with the Greengrass cloud service.
This allows AWS Greengrass core devices to securely connect to the AWS IoT cloud services. It also allows
the Greengrass cloud service to deploy conguration information, Lambda functions, and managed
subscriptions to AWS Greengrass core devices.
AWS IoT devices require an AWS IoT thing, a device certicate, and an AWS IoT policy to connect to the
Greengrass service. This allows AWS IoT devices to use the Greengrass Discovery Service to nd and
connect to an AWS Greengrass core device. AWS IoT devices use the same device certicate used to
connect to AWS IoT device gateway and AWS Greengrass core devices. The following diagram shows the
components of the AWS Greengrass security model:
69
Conguring Greengrass Security
A - Greengrass service role
A customer-created IAM role that allows AWS Greengrass access to your AWS IoT and Lambda
resources.
B - Core device certicate
An X.509 certicate used to authenticate an AWS Greengrass core.

C - Device certicate
An X.509 certicate used to authenticate an AWS IoT device.

D - Group role
A role assumed by AWS Greengrass when calling into the cloud from a Lambda function on an AWS
Greengrass core.
E - Group CA
A root CA certicate used by AWS Greengrass devices to validate the certicate presented by an AWS
Greengrass core device during TLS mutual authentication.
Conguring Greengrass Security

To congure your Greengrass application's security:
1. Create an AWS IoT thing for your AWS Greengrass core device.
2. Generate a key pair and device certicate for your AWS Greengrass core device.
3. Create and attach an AWS IoT policy to the device certicate. The certicate and policy allow the
AWS Greengrass core device access to AWS IoT and Greengrass cloud services.
4. Create a Greengrass service role. This IAM role grants AWS Greengrass access to your Greengrass and
AWS IoT resources. You only need to create a service role once per AWS account.
5. (Optional) Create a Greengrass group role. This role grants permission to Lambda functions running
on an AWS Greengrass core to call other AWS services (in the cloud). You need to do this for each
Greengrass group you create.
6. Create an AWS IoT thing for each device that will connect to your AWS Greengrass core.
7. Create device certicates, key pairs, and AWS IoT policies for each device that will connect to your
AWS Greengrass core.
Note
You can also use existing AWS IoT things and certicates.
Device Connection Workow

This section describes how devices connect to the AWS Greengrass cloud service and AWS Greengrass
core devices.
An AWS Greengrass core device uses its device certicate, private key, and the AWS IoT root CA
certicate to connect to the Greengrass cloud service .
The AWS Greengrass core device downloads group membership information from the Greengrass
service.
When a deployment is made to the AWS Greengrass core device, the Device Certicate Manager (DCM)
handles certicate management for the AWS Greengrass core device.
70
Greengrass Messaging Workow
An AWS IoT device connects to the Greengrass cloud service using its device certicate, private key,
and the AWS IoT root CA. After making the connection, the AWS IoT device uses the Greengrass
Discovery Service to nd the IP address of its AWS Greengrass core device. The device can also
download the group's root CA certicate, which can be used to authenticate the Greengrass core
device.
An AWS IoT device attempts to connect to the AWS Greengrass core, passing its device certicate
and client ID. If the client ID matches the thing name of the device and the certicate is valid, the
connection is made. Otherwise, the connection is terminated.
Greengrass Messaging Workow

A subscription table is used to dene how messages are exchanged within a Greengrass group (between
AWS Greengrass core devices, AWS IoT devices, and Lambda functions). Each entry in the subscription
table species a source, a destination, and an MQTT topic over which messages are sent/received.
Messages can be exchanged only if an entry exists in the subscription table specifying the source
(message sender), the target (message recipient), and the MQTT topic. Subscription table entries specify
passing messages in one direction, from the source to the target. If you want two-way message passing,
create two subscription table entries, one for each direction.
MQTT Core Server Certicate Rotation

The MQTT core server certicate expires, by default, in 7 days. You can set the expiration to any value
between 7 and 30 days. When the MQTT core server certicate expires, any attempt to validate the
certicate fails. The device must be able to detect the failure and terminate the connection. Existing
connections are not aected. When the certicate expires, the AWS Greengrass core device attempts to
connect to the Greengrass cloud service to obtain a new certicate. If the connection is successful, the
AWS Greengrass core device downloads a new MQTT core server certicate and restarts the local MQTT
service. At this point, all AWS IoT devices connected to the core are disconnected.
If there is no internet connection when the AWS Greengrass core attempts to get a new MQTT
core server certicate, AWS IoT devices are unable to connect to the AWS Greengrass core until the
connection to the Greengrass cloud service is restored and a new MQTT core server certicate can be
downloaded.
When AWS IoT devices are disconnected from a core, they have to wait a short period of time and then
attempt to reconnect to the AWS Greengrass core device.
71
Conguring Greengrass Logging
Monitoring with AWS Greengrass

Logs
AWS Greengrass consists of the cloud service and the AWS Greengrass core software. The AWS
Greengrass core software can write logs to CloudWatch Logs or to the local le system of your AWS
Greengrass core device. If the logging component is congured to log events to the local le system, the
log les are stored under /greengrass/var/log with the following directory structure:
/greengrass/var
- log
- system
- log files for each Greengrass system components
- user
- log files generated by each Lambda function
Currently, for le system logging, we support size-based rotation and automatic cleanup when the
amount of log data is close to the congured limit.
Conguring Greengrass Logging

The logging component can be congured through the Greengrass logging list APIs with a payload
similar to the following:
{
"loggingModelList": [
{
"Type": "log-storage-type",
"Component": component-type,
"Level": logging-level,
"Space": max-storage
},
{
"Type": ... ,
"Level": ... ,
...
}
]
}
72
Required IAM Permissions
Type
AWSCloudWatch and FileSystem. This eld species which storage mechanism is used for log events.
When AWSCloudWatch is used, log events are sent to CloudWatch with a limited number of retries
in case there's no internet connectivity. After the retries are exhausted, the event is dropped. When
FileSystem is used, log events are stored on the local le system.
Component
Supported values are GreengrassSystem and Lambda. When GreengrassSystem is used, log events
from Greengrass system components are ltered based on the log level threshold and stored to the
designated location. Depends on the Type. When Lambda is used, log events from a user's Lambda
functions are ltered based on the log level and stored to the designated location. Again, depends
on the Type.
Level
Log events below this threshold are ltered out and aren't stored.
Space
The maximum amount of local storage, in KB, to use for storing logs. This eld applies only when
Type is set to FileSystem.
If logging is not congured, before the rst deployment, the AWS Greengrass core software does not
contain any logging conguration information. It uses the following settings:
[
{
"Level": "INFO",
"Space": 128
}
]
After the rst deployment, if you explicitly congure the Greengrass software to emit no logs, none will
be emitted. If you don't congure logging, the following settings are used by default:
[
{
"Level": "INFO",
"Space": 128
},
{
"Level": "INFO",
"Space": 128
}
]
Required IAM Permissions

To enable logging to CloudWatch, the following CloudWatch Logs actions must be present in the AWS
Greengrass group role:
73
Logging Output
logs:PutLogEvents
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogStreams
Logging Output
If the logging component is congured to write logs to CloudWatch, the following log groups are
displayed:
/aws/greengrass/GreengrassSystem/GreengrassSystemComponentName
/aws/greengrass/Lambda/aws-region/accountId/lambda-function-name
Under each log group, you see log streams with the following structure:
date/accountId/greengrass-group-id/name-of-core-that-generated-log
The AWS Greengrass core logs look the same whether they are written to local storage or to CloudWatch
Logs. The format for AWS Greengrass system logs is:
[<timestamp>][<Log level>]-<error message>
The format for Lambda logs is:
[<timestamp>][<Log level>]-<error message>
AWS Greengrass Logging Limitations

Transactions per Second
When logging to CloudWatch is enabled, the logging component batches log events locally before
sending them to CloudWatch, so you can log at a rate higher than ve requests per second per log
stream.
Memory
If AWS Greengrass is congured to send logs to CloudWatch and a Lambda function logs more than
5 MB/second for a prolonged period of time, the internal processing pipeline eventually lls up. The
theoretical worst case is 6 MB per Lambda function.
Clock Skew
When logging to CloudWatch is enabled, the logging component signs requests to CloudWatch using the
normal Signature Version 4 process. If the system time on the AWS Greengrass core device is out of sync
by more than 15 minutes, then the requests are rejected.
Disk Usage
Use the following formula to calculate the total maximum amount of disk usage for logging.
74
Log Loss
greengrass-storage * 7 // 6 if IP Detector is not used

+ 128KB // localwatch
internal log
+ lambda-storage * lambda-count // different versions of a lambda are
treated as one.
Where:
greengrass-storage
The maximum amount of local storage for AWS Greengrass logs.

lambda-storage
The maximum amount of local storage for Lambda logs.

lambda-count
The number of deployed Lambda functions.
Log Loss
If your AWS Greengrass core device is congured to log only to CloudWatch and there's no internet
connectivity, you have no way to retrieve the logs currently in the memory.
When Lambda functions are terminated (for example, during deployment), a few seconds worth of logs
are not written to CloudWatch.
75
Troubleshooting AWS Greengrass

Applications
Common Issues
Symptom Solution
You see 403 Forbidden error on deployment in the Make sure the AWS Greengrass core's policy in the
logs. cloud includes "greengrass:*" as an allowed action.
Device's shadow does not sync with the cloud. Check that the AWS Greengrass core has
permissions for "iot:UpdateThingShadow" and
"iot:GetThingShadow" actions.
The AWS Greengrass core software does not run Run rpi-update to update. Raspbian has released
on Raspberry Pi because user namespace is not a new kernel 4.9 that has user namespace
enabled. enabled.
A ConcurrentDeployment error occurs when you A deployment might be in progress. You can run
run create-deployment for the rst time. get-deployment-history to see if a deployment
was created. If not, try creating the deployment
again.
The AWS Greengrass core software does not start Check that you are using the binaries
successfully. appropriate for your architecture.
Check that your AWS Greengrass core device
has local storage available.
For more information, see Troubleshooting with

Logs (p. 77).
The greengrassd script displays: unable The le descriptor limit for the AWS Greengrass
to accept TCP connection. accept tcp core software has reached the threshold and must
[::]:8000: accept4: too many open files. be increased.
Use the following command:
ulimit -n 2048
and restart the AWS Greengrass core software.
76
Troubleshooting with Logs
Symptom Solution
Note
In this example, the limit is increased to
2048. Choose a value appropriate for
your use case.
Troubleshooting with Logs

If logs are congured to be stored on the local le system, start looking in the following locations:
GREENGRASS_ROOT/crash.log
Shows messages generated when an AWS Greengrass core crashes.

GREENGRASS_ROOT/var/log/system/runtime.log
Shows messages about which component failed.

GREENGRASS_ROOT/var/log/system/
This folder contains all the logs from the AWS Greengrass system Lambda functions. Using the
messages in var/log/system/ and var/log/system/runtime.log, you should be able to nd out
which error occured in AWS Greengrass system Lambda functions.
Note
By default, GREENGRASS_ROOT is the /greengrass directory.
If the logs are congured to be stored on the cloud, use CloudWatch Logs to view log messages. The
crash log is still found on the AWS Greengrass core device.
If connection errors occur when system Lambda function attempt to connect to AWS IoT, look in the
AWS IoT logs in CloudWatch for more information.
Note
AWS IoT must be congured to write logs to CloudWatch.
Troubleshooting Storage Issues

When the local le storage is full, some components might start failing:
Local shadow updates do not happen.

New AWS Greengrass core MQTT server certicates cannot be downloaded locally.
Deployments fail.
You should always be aware of the amount of free space available locally. This can be calculated based
on the sizes of deployed Lambda functions, the logging conguration (see Troubleshooting with
Logs (p. 77)), and the number of shadows stored locally.
Troubleshooting Messsages
All messages sent within AWS Greengrass are sent with QoS 0. If an AWS Greengrass core is restarted,
messages that have not been processed yet are lost. For this reason, restart the AWS Greengrass core
when the service disruption is the lowest. The AWS Greengrass core is restarted by a deployment, too.
77

GG DG

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

GG DG

Загружено:

Авторское право:

Доступные форматы

AWS Greengrass

AWS Greengrass: Developer Guide

Device Connection Workow ..................................................................................................... 70

What Is AWS Greengrass?

The following diagram shows the basic architecture of AWS Greengrass.

AWS Greengrass protects user data:

Through the secure authentication and authorization of devices.

AWS Greengrass provides secure, over-the-air software updates of Lambda functions.

AWS Greengrass consists of:

Greengrass Core Software

The AWS Greengrass core software consists of:

AWS Greengrass Groups

In the preceding diagram:

A: AWS Greengrass group denition

A collection of information about the AWS Greengrass group.

A collection of subscriptions to be deployed to the AWS Greengrass group that contains:

Devices in AWS Greengrass

AWS Greengrass cores.

Getting Started with AWS

This is a special Ubuntu 14.04 built by Annapurna.

Glibc library version 2.14

Setting Up Your Hardware

Preparing a Raspberry Pi for Greengrass

To run the AWS Greengrass core software:

sudo adduser --system ggc_user

2. Use the following commands to update your Raspberry Pi kernel to 4.9:

sudo apt-get install rpi-update

3. Use the following command to install sqlite3:

sudo apt-get install sqlite3

To use the AWS IoT Device SDK

1. Use the following command to install cmake:

sudo apt-get install cmake

2. Install OpenSSL 1.0.2 developer version.

1. Add the following text at the end of /etc/apt/sources.list.d/raspi.list:

deb http://ftp.debian.org/debian jessie-backports main

sudo apt-get update

sudo apt-get -t jessie-backports install libssl-dev

1. Set system variables by adding the following two lines to /etc/sysctl.d/98-rpi.conf:

If the le /etc/sysctl.d/98-rpi.conf doesn't exist, follow the instructions in /etc/sysctl.d/

3. Validate the change by running:

sudo sysctl -a | grep fs

Preparing an Amazon EC2 Instance for AWS

To run the AWS Greengrass core software:

sudo useradd -r ggc_user

To use the AWS IoT Device SDK for C++:

1. Use the following commands to install cmake:

sudo yum groupinstall "Development Tools"

2. Use the following commands to install OpenSSL 1.0.2:

1. Set system variables by adding the following two lines to /etc/sysctl.d/00-defaults.conf:

If the le /etc/sysctl.d/00-defaults.conf doesn't exist, follow the instructions in /etc/sysctl.d/

3. Validate the change by running:

sudo sysctl -a | grep fs

Preparing an Annapurna aarch64 with Ubuntu 14.04

To run the AWS Greengrass core software:

sudo useradd ggc_user

2. Use the following commands to install missing dependencies:

apt-get install sqlite3

# used script from: https://raw.githubusercontent.com/tianon/cgroupfs-mount/master/

To use the AWS IoT Device SDK for C++:

1. Use the following commands to install cmake:

apt-get install git

sudo apt-get install make

1. Add the following back ports into /etc/apt/sources.list: