Академический Документы
Профессиональный Документы
Культура Документы
Developer Guide
AWS Greengrass Developer Guide
Table of Contents
What Is AWS Greengrass? .................................................................................................................... 1
Greengrass Core Software ........................................................................................................... 2
AWS Greengrass Groups .............................................................................................................. 2
Devices in AWS Greengrass ......................................................................................................... 4
SDKs ......................................................................................................................................... 5
Getting Started with AWS Greengrass ................................................................................................... 7
Requirements ............................................................................................................................ 7
Setting Up Your Hardware .......................................................................................................... 8
Preparing a Raspberry Pi for Greengrass ............................................................................... 8
Preparing an Amazon EC2 Instance for AWS Greengrass .......................................................... 9
Preparing an Annapurna aarch64 with Ubuntu 14.04 ............................................................ 10
Setting Up an AWS Greengrass Core Device ................................................................................. 12
Download the AWS Greengrass Core Software ..................................................................... 12
Create an AWS Greengrass Group ....................................................................................... 13
Create an AWS Greengrass Core Device in the Cloud ............................................................. 13
Provisioning an AWS Greengrass Core ................................................................................. 14
Get Connected to AWS ..................................................................................................... 14
Add an AWS IoT Device to Your AWS Greengrass Group ................................................................ 16
AWS Greengrass Example Scenario: Robot Arm ............................................................................ 17
Create AWS IoT Things ..................................................................................................... 17
Create an AWS Greengrass Group ....................................................................................... 17
Create a Core Denition .................................................................................................... 18
Create a Device Denition ................................................................................................. 20
Modify the Policy for GGC_Thing, Switch_Thing, and RobotArm_Thing .................................... 22
Create a Lambda Function Denition .................................................................................. 23
Create a Subscription Denition ......................................................................................... 26
Create a Logger Denition ................................................................................................. 30
Update Your Group .......................................................................................................... 32
Create a Deployment ........................................................................................................ 33
Updating the Connectivity Information Service .................................................................... 34
Device Conguration ......................................................................................................... 34
Running the Scenario ........................................................................................................ 36
Tutorial: Deploying a Simple Lambda Function to AWS Greengrass ................................................. 37
Create an AWS Account ..................................................................................................... 37
Sign in to the AWS Greengrass Console .............................................................................. 38
Create an AWS Greengrass Group and AWS Greengrass Core .................................................. 38
Congure and Start Your Greengrass Core Device ................................................................ 43
Copy and Extract the Greengrass Software Package onto Your Core Device .............................. 45
Install Certicates on Your AWS Greengrass Core Device ........................................................ 46
Congure Your Greengrass Core ......................................................................................... 46
Start Your AWS Greengrass Core to Connect It to the Cloud ................................................... 50
Create a "Hello World" Lambda Function ............................................................................. 51
Add the Lambda Function to Your Group Denition .............................................................. 54
Congure the HelloWorld Lambda Function ......................................................................... 56
Add a Subscription to Your Group Denition ........................................................................ 57
Deploy Your Group ........................................................................................................... 61
Verify the Lambda Function Is Running on Your Core Device .................................................. 63
Greengrass Discovery RESTful API ...................................................................................................... 66
Request ................................................................................................................................... 66
Response ................................................................................................................................. 67
Authorization ........................................................................................................................... 67
Example Discover Response Documents ...................................................................................... 67
AWS Greengrass Security ................................................................................................................... 69
Conguring Greengrass Security ................................................................................................. 70
iii
AWS Greengrass Developer Guide
iv
AWS Greengrass Developer Guide
AWS Greengrass makes it possible for customers to use Lambda functions to build IoT devices and
application logic. Specically, AWS Greengrass provides cloud-based management of applications that
can be deployed for local execution. Locally deployed Lambda functions are triggered by local events,
messages from the cloud, or other sources.
In AWS Greengrass, devices securely communicate on a local network and exchange messages with
each other without having to connect to the cloud. AWS Greengrass provides a local pub/sub message
manager that can intelligently buer messages if connectivity is lost so that inbound and outbound
messages to the cloud are preserved.
1
AWS Greengrass Developer Guide
Greengrass Core Software
Device security credentials function within a group until they are revoked, even if connectivity to the
cloud is disrupted, so that the devices can continue to securely communicate locally.
Software distributions
AWS Greengrass core software
AWS Greengrass core SDK
Cloud service
AWS Greengrass API
Features
Lambda runtime
Thing shadows implementation
Message manager
Group management
Discovery service
Allows deployment and execution of local applications created using Lambda functions and managed
through the deployment API.
Enables local messaging between devices over a secure network using a managed subscription scheme
through the MQTT protocol.
Ensures secure connections between devices and the cloud using device authentication and
authorization.
Provides secure, over-the-air software updates of user-dened Lambda functions.
A message manager that routes messages between devices, Lambda functions, and AWS IoT.
A Lambda runtime that runs user-dened Lambda functions.
An implementation of the Thing Shadows service that provides a local copy of thing shadows, which
represent your devices. Thing shadows can be congured to sync with the cloud.
A deployment agent that is notied of new or updated AWS Greengrass group conguration. When
new or updated conguration is detected, the deployment agent downloads the conguration data
and restarts the AWS Greengrass core.
AWS Greengrass core instances are congured through AWS Greengrass APIs that create and update
AWS Greengrass group denitions stored in the cloud.
2
AWS Greengrass Developer Guide
AWS Greengrass Groups
These include:
AWS Greengrass group role.
Log conguration.
Certication authority and local connection conguration.
AWS Greengrass core connectivity information.
C: AWS Greengrass core
The AWS IoT thing that represents the AWS Greengrass core.
D: Lambda function denition
A list of Lambda functions to be deployed to the AWS Greengrass core of the group.
E: Subscription denition
A list containing an AWS Greengrass core and AWS IoT things that are members of the AWS
Greengrass group and associated conguration data. This data species which devices are AWS
Greengrass cores and which devices should sync thing shadow data with AWS IoT.
3
AWS Greengrass Developer Guide
Devices in AWS Greengrass
When deployed, the AWS Greengrass group denition, Lambda functions, and subscription table are
copied to an AWS Greengrass core device.
An AWS Greengrass core is an AWS IoT device that runs specialized AWS Greengrass software that
communicates directly with the AWS IoT and AWS Greengrass cloud services. It is an AWS IoT device with
its own certicate used for authenticating with AWS IoT. It has a device shadow and exists in the AWS
IoT device registry. AWS Greengrass cores run a local Lambda runtime, a deployment agent, and an IP
address tracker that sends IP address information to the AWS Greengrass cloud service to allow AWS IoT
devices to automatically discover their group and core connection information.
Any AWS IoT device can connect to an AWS Greengrass core. An AWS Greengrass core runs software
written with the AWS IoT Device SDK.
The following table shows how these device types are related.
4
AWS Greengrass Developer Guide
SDKs
SDKs
The following SDKs are used when working with AWS Greengrass:
AWS SDKs
Using the AWS SDKs, you can build applications that work with any AWS service, including Amazon
S3, Amazon DynamoDB, AWS IoT, AWS Greengrass, and more. In the context of AWS Greengrass, you
can use the AWS SDK inside deployed Lambda functions to make direct calls to any AWS service.
AWS IoT Device SDKs
The AWS IoT Device SDKs helps you connect your device to AWS IoT or AWS Greengrass services.
Devices must know to which AWS Greengrass group they belong and the IP address of the AWS
Greengrass core to which they should connect.
Although you can use any of the AWS IoT Device SDKs to connect to an AWS Greengrass core, only
the C++ and Python Device SDKs provide AWS Greengrass-specic functionality, such as access
to the AWS Greengrass Discovery Service and AWS Greengrass core root CA downloads. For more
information, see AWS IoT Device SDK.
AWS Greengrass Core SDK
The AWS Greengrass Core SDK enables Lambda functions to interact with the AWS Greengrass core
on which they run in order to publish messages, interact with the local Thing Shadows service, or
invoke other deployed Lambda functions. This SDK is used exclusively for writing Lambda functions
running in the Lambda runtime on an AWS Greengrass core. Lambda functions running on an
AWS Greengrass core can interact with AWS cloud services directly using the AWS SDK. The AWS
Greengrass Core SDK and the AWS SDK are contained in dierent packages, so you can use both
packages simultaneously. You can download the AWS Greengrass Core SDK from the Software
section of the AWS IoT console.
The AWS Greengrass Core SDK follows the AWS SDK programming model. It allows you to easily
port Lambda functions developed for the cloud to Lambda functions that run on an AWS Greengrass
core. For example, using the AWS SDK, the following Lambda function publishes a message to the
topic "/some/topic" in the cloud:
import boto3
client = boto3.client('iot-data')
response = client.publish(
topic = "/some/topic",
qos = 0,
payload = "Some payload".encode()
)
To port this Lambda function for execution on an AWS Greengrass core, replace the import boto3
statement with the import greengrasssdk, as shown in the following snippet:
import greengrasssdk
client = greengrasssdk.client('iot-data')
response = client.publish(
topic='/some/topic',
qos=0,
payload='some payload'.encode()
)
This allows you to test your Lambda functions in the cloud and migrate them to AWS Greengrass
with minimal eort.
5
AWS Greengrass Developer Guide
SDKs
Note
The AWS Greengrass Core SDK only supports sending MQTT messages with QoS = 0. The
AWS SDK is natively part of the environment when executing a Lambda function in the AWS
cloud. If you want to use boto3 in a Lambda function deployed on an AWS Greengrass core,
make sure to include the AWS SDK in your package. In addition, if you choose to use both
the AWS Greengrass Core SDK and the AWS SDK simultaneously in the same package, your
Lambda functions must use the correct namespace. For more information about how to
create your deployment package, see the AWS Lambda documentation.
6
AWS Greengrass Developer Guide
Requirements
This section describes how to install and congure AWS Greengrass. When working with AWS
Greengrass, you create an AWS Greengrass group and add a AWS Greengrass core. Setting up an AWS
Greengrass core device includes preparing the hardware, and then downloading and installing the AWS
Greengrass core software. After your AWS Greengrass core is congured, you can add AWS IoT devices
to your group. This section describes how to do each of these steps. It also provides an example scenario
that shows how all of the AWS Greengrass parts work together.
Requirements
These are the requirements for running an AWS Greengrass core:
Supported platforms:
Armv7l
Raspberry Pi 3 Model B - Raspbian Jessie 2017-03-02
X86_64
Amazon EC2 Instance - Amazon Linux - amzn-ami-hvm-2016.09.1.20170119-x86_64-ebs
AARCH64
Annapurna Alpine V2 Platform-on-Chip uATX Development Board with Ubuntu 14.04 Kernel 4.1.3
with the following enabled:
CONFIG_DEVPTS_MULTIPLE_INSTANCES
CONFIG_OF_OVERLAY
CONFIG_OVERLAY_FS
CONFIG_POSIX_MQUEUE
CONFIG_SECCOMP
CONFIG_SECCOMP_FILTER
CONFIG_HAVE_ARCH_SECCOMP_FILTER
7
AWS Greengrass Developer Guide
Setting Up Your Hardware
1. Use the following commands to add a user named ggc_user and a group named ggc_group:
2. Run the following command to update the package list for apt-get:
Note
If you get a NO_PUBKEY error, follow these instructions on the CCM website, and then
rerun the sudo apt-get update command.
3. Use the following command to install OpenSSL:
8
AWS Greengrass Developer Guide
Preparing an Amazon EC2 Instance for AWS Greengrass
Hardlink/Softlink Protection
The AWS Greengrass core software checks if hardlink/softlink protection is activated on the operating
system at startup. We recommend that you activate this protection to improve security on your device.
Follow these instructions.
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
sudo reboot
If the system variables were set successfully, the following text is displayed:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
Use the following commands to add a user named ggc_user and a group named ggc_group:
9
AWS Greengrass Developer Guide
Preparing an Annapurna aarch64 with Ubuntu 14.04
make
sudo make install
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
tar -xvzf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=/usr/
make
sudo make install
Hardlink/Softlink Protection
The AWS Greengrass core software checks if hardlink/softlink protection is activated on the operating
system at startup. We recommend that you activate this protection to improve security on your device.
Follow these instructions:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
sudo reboot
If the system variables were set successfully, the following text is displayed:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
1. Use the following commands to add a user named ggc_user and a group named ggc_group:
apt-get update
10
AWS Greengrass Developer Guide
Preparing an Annapurna aarch64 with Ubuntu 14.04
3. Set up cgroups:
wget https://cmake.org/files/v3.8/cmake-3.8.0.tar.gz
tar -zxf cmake-3.8.0.tar.gz
cd cmake-3.8.0
./configure
make
sudo make install
cmake is required for using the AWS IoT C++ Device SDK.
2. Use the following command to install Git:
Git is required for using the AWS IoT C++ Device SDK.
3. Use the following commands to install OpenSSL 1.0.2+:
The last command displays the version of OpenSSL that was installed. It should read 1.0.2.
4. Install libssl-dev.
11
AWS Greengrass Developer Guide
Setting Up an AWS Greengrass Core Device
linux-armv7l
linux-x86-64
linux-aarch64
bin
12
AWS Greengrass Developer Guide
Create an AWS Greengrass Group
rootfs
To create a Greengrass group, open the AWS IoT console and, in the navigation pane, choose Greengrass.
On the Dene a Greengrass group tile, choose Get Started. On the Set up your Greengrass Group
page, choose Use easy creation, and then follow the instructions. This will walk you through the creation
of:
A Greengrass group.
An AWS IoT thing that represents an AWS Greengrass core in your AWS Greengrass group.
A certicate and key pair that your AWS Greengrass core will use to authenticate with AWS IoT and
AWS Greengrass.
Download the certicate and private key and save them in a safe place. You will copy them to your
AWS Greengrass core device later.
4. Attach your device certicate to your AWS IoT thing. For more information, see Attach a Certicate
to a Thing.
5. Make sure your certicate is activated.
13
AWS Greengrass Developer Guide
Provisioning an AWS Greengrass Core
6. Create and attach an AWS IoT policy to your device certicate. The policy determines which AWS IoT
resources your AWS Greengrass core is able to access. In the AWS IoT console, choose Security, and
then choose Policies. Choose Create to create an AWS IoT policy.
On the Create a Policy page, type a name for your policy. Under Add statements, in the Action text
box, type iot:*, greengrass:*. In the Resource ARN text box, type *. Under Eect choose Allow
and then choose Create. This will allow the identity associated with this policy to perform all AWS
IoT and AWS Greengrass operations. For more information, see Create an AWS IoT Policy.
Note
The AWS Greengrass core software establishes an MQTT connection using a random client
ID. For this reason, do not use the {iot:ClientId} policy variable in the AWS IoT policy for
your AWS Greengrass core.
Note
This will extract the AWS Greengrass distributable into the greengrass directory in your
root directory of your device.
2. If Linux control groups (cgroups) are not enabled on the operating system of your AWS Greengrass
core device , run this script.
Note
Linux control groups are used to limit the resources that can be accessed by Lambda
functions that run on your AWS Greengrass core device.
3. To automatically congure the Lambda cgroup, add cgroup /sys/fs/cgroup cgroup defaults 0 0
to the /etc/fstab le on your device, and then reboot your device.
The /greengrass directory is created when you extract the tar le.
14
AWS Greengrass Developer Guide
Get Connected to AWS
After creating the role, make a note of the role ARN and use it to call the following CLI command:
{
"coreThing": {
"caPath": "[ROOT_CA_PEM_HERE]",
"certPath": "[CLOUD_PEM_CRT_HERE]",
"keyPath": "[CLOUD_PEM_KEY_HERE]",
"thingArn": "[THING_ARN_HERE]",
"iotHost": "[HOST_PREFIX_HERE].iot.[AWS_REGION_HERE].amazonaws.com",
"ggHost": "greengrass.iot.[AWS_REGION_HERE].amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "[yes|no]"
}
}
}
caPath The path to the AWS IoT root Save the le under /greengrass/
CA certicate relative to / conguration/certs.
greengrass/conguration/certs
folder.
certPath The path to the AWS Greengrass Save the le under /greengrass/
core certicate relative to / conguration/certs.
greengrass/conguration/certs
folder.
keyPath The path to the AWS Greengrass Save the le under /greengrass/
core private key relative to / conguration/certs.
greengrass/conguration/certs
folder.
15
AWS Greengrass Developer Guide
Add an AWS IoT Device to Your AWS Greengrass Group
iotHost Your AWS IoT endpoint. Can be obtained using the aws
iot describe-endpoint CLI
command or in the Settings
section of the AWS IoT console.
This text means that your AWS Greengrass core device is connected to AWS IoT and waiting for a
deployment to take place.
16
AWS Greengrass Developer Guide
AWS Greengrass Example Scenario: Robot Arm
Connect to AWS IoT and receive information about AWS Greengrass groups to which the device
belongs.
Connect to an AWS Greengrass core.
Save the certicate and private key in a safe place. You will need to copy them to your AWS
Greengrass core device.
4. Attach your device certicate to your AWS IoT thing. For more information, see Attach a Certicate
to a Thing.
5. Make sure your certicate is activated.
6. Create and attach an AWS IoT policy to your device certicate. The AWS policy determines which
AWS IoT resources your AWS Greengrass core is able to access. In the AWS IoT console, choose
Security, and then choose Policies. Choose Create to create an AWS IoT policy.
On the Create a Policy page, type a name for your policy. Under Add statements, in the Action
text box, type iot:*, greengrass:*. In the Resource ARN text box, type *. This allows the identity
associated with this policy to perform all AWS IoT and AWS Greengrass operations. For more
information, see Create an AWS IoT Policy.
Imagine a robot arm that moves boxes to a conveyor belt. This robot arm is controlled by a switch that
will turn it on or o. The robot arm's on/o state can be controlled from the cloud. We have two Lambda
functions. One function is for monitoring the robot arm state when it is turned on and o (uptime
Lambda). This represents a situation in which you might need to monitor the status of a device, such as
how many times its been powered on (a very basic example). This status is sent to the cloud where you
are able to see the data on an MQTT topic.
The messageLambda Lambda function accepts generic messages that control the robot arm from the
cloud and updates the local thing shadow associated with the robot arm device. The AWS Greengrass
core software synchronized the local thing shadow with the thing shadow in the cloud (AWS IoT).
Note
The Lambda functions provided later in this tutorial use these case-sensitive names. If you
choose dierent names for your things, you must update the code for the Lambda functions,
device code, and subscription table.
17
AWS Greengrass Developer Guide
Create a Core Denition
list, and subscription denition. In this scenario, the group consists of your GGC_Thing, RobotArm_Thing,
Switch_Thing, your Lambda functions, and a list of the subscriptions between them. Start by creating an
AWS Greengrass group. You will add components to it later.
The Greengrass group name is the name that will be displayed in the AWS Greengrass console. It
can change over time, but the ID (generated for you) cannot. The output from the create-group CLI
command will look like this:
{
"LastUpdatedTimestamp": "2017-05-17T17:43:18.815Z",
"CreationTimestamp": "2017-05-17T17:43:18.815Z",
"Id": "4462f873-9299-440b-a6d6-94cd9560bc6e",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/groups/4462f873-9299-440b-
a6d6-94cd9560bc6e"
"Name":"<GreengrassGroupName>"
}
Make a note of the Id in the create-group command output. You will need it later.
To get information about an AWS Greengrass group, you can use the get-group CLI command, passing in
the group ID:
The --group-id argument is the ID that is returned from the create-group CLI command.
The output from the aws greengrass get-group command will look like this:
{
"LastUpdatedTimestamp": "2017-05-17T17:43:18.815Z",
"CreationTimestamp": "2017-05-17T17:43:18.815Z",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/groups/4462f873-9299-440b-
a6d6-94cd9560bc6e",
"Id": "4462f873-9299-440b-a6d6-94cd9560bc6e",
"Name": "<GreengrassGroupName>"
}
Now that your group has been created, create a core denition, a device denition, a Lambda function
denition, and a subscription denition. After these components are created, you will add them to the
group and deploy them to your AWS Greengrass core device.
First, create a AWS Greengrass core list with the create-core-definition CLI command:
18
AWS Greengrass Developer Guide
Create a Core Denition
The --name argument species a name for the AWS Greengrass core denition.
The output from the create-core-definition CLI command will look like this:
{
"LastUpdatedTimestamp": "2017-05-17T17:49:50.584Z",
"CreationTimestamp": "2017-05-17T17:49:50.584Z",
"Id": "099d0333-3b37-451e-8d1c-745950ea8e27",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
cores/099d0333-3b37-451e-8d1c-745950ea8e27",
"Name": "<CoreDefinitionName>"
}
Now that you have created an AWS Greengrass core denition, create an AWS Greengrass core denition
version by adding an AWS Greengrass core to the denition:
--core-definition-id
true if the core's shadow should be synchronized with the cloud. Otherwise, false.
ThingArn
The ARN for the AWS IoT thing that represents the AWS Greengrass core.
The output from the create-core-definition-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
cores/099d0333-3b37-451e-8d1c-745950ea8e27/versions/e20c9a13-d737-441e-9f44-b0e70b0357f4",
"Id" : "099d0333-3b37-451e-8d1c-745950ea8e27",
"Version" : "e20c9a13-d737-441e-9f44-b0e70b0357f4",
"CreationTimestamp" : "2017-05-17T17:57:01.449Z"
}
Save the ARN from the CLI command output. You will use it later to add the list to a group.
19
AWS Greengrass Developer Guide
Create a Device Denition
You can view an AWS Greengrass core list version using the get-core-definition-version CLI
command:
--core-denition-id
The AWS Greengrass core denition ID from the create-core-definition CLI command output.
--core-denition-version-id
The ID of the AWS Greengrass core denition version. In the preceding example, it would be
e20c9a13-d737-441e-9f44-b0e70b0357f4.
The output from the get-core-definition-version CLI command will look like this:
{
"Definition": {
"Cores": [
{
"CertificateArn": "arn:aws:iot:us-west-2:123451234510:cert/
b47d7b575e495d798ae0b83be87041b3b860e312105e40e2481527dd39918f49",
"ThingArn": "arn:aws:iot:us-west-2:123451234510:thing/
StorylineUpdate_Core",
"SyncShadow": true,
"Id": "base-core"
}
]
},
"Version": "e20c9a13-d737-441e-9f44-b0e70b0357f4",
"CreationTimestamp": "2017-05-17T17:57:01.449Z",
"Id": "099d0333-3b37-451e-8d1c-745950ea8e27",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
cores/099d0333-3b37-451e-8d1c-745950ea8e27/versions/e20c9a13-d737-441e-9f44-b0e70b0357f4"
}
The output from the create-device-definition CLI command will look like this:
{
"LastUpdatedTimestamp": "2017-05-17T00:00:00.000Z",
"CreationTimestamp":"2017-05-17T00:00:00.000Z",
"Id":"c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
20
AWS Greengrass Developer Guide
Create a Device Denition
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/devices/
c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
"Name":"<DeviceDefinitionName>",
}
Next, create a device denition version by adding AWS IoT things to the list:
--device-definition-id
The ID of the device denition, returned from the create-device-definition CLI command. In the
preceding example, it would be c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd.
--devices
A list of JSON objects for each device in the device denition version.
Id
true if the AWS Greengrass core's shadow should be synchronized with the cloud. Otherwise,
false.
ThingArn
The output from the create-device-definition-version CLI command looks like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/devices/
c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd/versions/3c57969a-3a98-4092-8388-cece2b39f009",
"Id" : "c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
"Version" : "3c57969a-3a98-4092-8388-cece2b39f009",
"CreationTimestamp" : "2017-05-17T18:18:28.393Z"
}
Save the device denition version ARN from the CLI command output. You will use it later to add the list
to a group.
21
AWS Greengrass Developer Guide
Modify the Policy for GGC_Thing,
Switch_Thing, and RobotArm_Thing
To view the device denition version, use the get-device-definition-version CLI command:
--device-definition-id
The ID of the device denition, returned from the create-device-definition CLI command.
--device-definition-version-id
The ID of the device denition version, returned from the create-device-definition-version CLI
command.
The output from the get-device-definition-version CLI command looks like this:
{
"Definition": {
"Devices": [
{
"CertificateArn": "arn:aws:iot:us-west-2:123451234510:cert/
a2909c1e38379f82fedf89011c98613fef6fa96071c3dd64a297fde6a414e150",
"ThingArn": "arn:aws:iot:us-west-2:123451234510:thing/RobotArm_Thing",
"SyncShadow": true,
"Id": "robot-arm"
},
{
"CertificateArn": "arn:aws:iot:us-
west-2:123451234510:cert/62017e65eb92d502459ba0f06211ba49c68a9d4763dd1901e2ea4dc73048ef15",
"ThingArn": "arn:aws:iot:us-west-2:123451234510:thing/Switch_Thing",
"SyncShadow": false,
"Id": "switch"
}
]
},
"Version": "3c57969a-3a98-4092-8388-cece2b39f009",
"CreationTimestamp": "2017-05-17T18:18:28.393Z",
"Id": "c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/devices/
c595e5c8-5dd0-4b3b-8262-0e94d4d18bfd/versions/3c57969a-3a98-4092-8388-cece2b39f009"
}
You see that the SyncShadow eld for StorylineUpdate_RobotArm is set to true. This will sync the
local shadow status for StorylineUpdate_RobotArm. Whenever there's a shadow update for the
StorylineUpdate_RobotArm, it will also be reected in the AWS IoT shadow in the cloud .
22
AWS Greengrass Developer Guide
Create a Lambda Function Denition
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iot:*",
"greengrass:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
This allows AWS Greengrass to update the local shadow status with the cloud and AWS IoT devices to use
discovery functionality.
To make the Lambda functions available for Greengrass, you need to upload these Lambda functions
to the Lambda console. Make sure that you are accessing the Lambda console in the same region
as the Greengrass endpoint you are using. (If you are accessing Greengrass in the us-west-2 region,
use the Lambda console in the us-west-2 region.) Create two Lambda functions: uptimeLambda and
messageLambda.
Note
The source code for these Lambda functions are part of the AWS Greengrass Core SDK. You
can download it from the AWS IoT console. In the navigation pane, choose Software, and then
choose Download SDK for the AWS Greengrass Core SDK. Each Lambda function is contained in
a zip le located in the examples/Storyline directory of the AWS Greengrass Core SDK.
Using the AWS Lambda console, create a Lambda function and choose Blank Function. Do not congure
any triggers. Name the function uptimeLambda. For runtime, choose python 2.7. For Code entry type,
choose Upload a .ZIP le, and then browse to the storyline_uptimeLambda.zip le.
For Handler, type uptimeLambda.uptime_handler. Choose any existing role. The role is not important
here because AWS Greengrass doesn't use it. Review and then publish the function. Choose Actions,
choose Publish new version, and then choose Publish. The ARN for the published Lambda looks like
this: arn:aws:lambda:us-west-2:123451234510:function:uptimeLambda:1.
Associate a Lambda alias with this published version of your Lambda function. A Lambda alias is a
pointer to a specic Lambda function version. Aliases are mutable (that is, they can be changed) and can
be updated to point to dierent versions. For more information about Lambda aliases, see AWS Lambda
Developer Guideversioning-aliases.html. Using an alias allows you to update a Lambda function without
having to update subscriptions for each Greengrass group that references the Lambda function.
Note
The $LATEST alias is not supported for use with Greengrass.
From the Actions menu, choose Create alias. In Name, type "storyLineUptime", and choose the version
that was just published.
Note
A Lambda alias is a name given to a specic version of a Lambda function. Using an alias allows
the user to update the Lambda function without having to update the subscription table later.
You can use any alias except $LATEST which is used internally for work-in-progress deployments.
23
AWS Greengrass Developer Guide
Create a Lambda Function Denition
Make sure the alias is pointing to the correct version. It will be automatically resolved during Greengrass
deployment later.
Using the AWS Lambda console, create a Lambda function and choose Blank Function. Do not congure
any triggers. Name the function messageLambda. For runtime, choose python 2.7. For Code entry type,
choose Upload a .ZIP le, and then browse to the storyline_messageLambda.zip le that came with the
release. For Handler, type messageLambda.message_handler. Choose any existing role. The role is not
important because AWS Greengrass doesn't use it. Review the Lambda function and then publish it. From
the Actions menu, choose Publish new version, and then choose Publish. The ARN for the published
Lambda function looks like this: arn:aws:lambda:us-west-2:123451234510:function:messageLambda:1.
Associate an alias with the published version. From the Actions menu, choose Create alias. In Name,
type "storyLineMessage", and choose the version that was just published. Using an alias allows the user
to update the Lambda function without having to update the subscription table later. Make sure the alias
is pointing to the correct version. It will be automatically resolved during Greengrass deployment later.
Note
You will need the versioned ARN with either a version or an alias in order to build your function
list. Make sure you have published a version of your Lambda function and associated an alias
with it.
--name
{
"LastUpdatedTimestamp": "2017-05-17T18:26:14.235Z",
"CreationTimestamp": "2017-05-17T18:26:14.235Z",
"Id": "ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/functions/
ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Name": "<MyFunctionDefinition>"
}
Now, create a Lambda denition version by adding Lambda functions to the denition:
24
AWS Greengrass Developer Guide
Create a Lambda Function Denition
"Executable": "messageLambda.message_handler",
"MemorySize": 128000,
"Timeout": 3
}
}]'
--function-definition-id
The ID of the function denition, returned from the create-function-definition CLI command. In
the preceding example, it would be ff44a4cf-a619-47c2-95b4-13c6daf8cf47 for this entry in the
list.
--functions
A list of JSON objects describing the functions that you are adding to the function denition.
Id
The ARN of the function version you are adding to the denition.
Note
The function version ARN must end in a version. For example "arn:aws:lambda:us-
west-2:$ACCOUNT:function:UptimeLambda:1" is a valid function version ARN.
FunctionConfiguration
Conguration information for the function you are adding to the denition.
Executable
The output from the create-function-definition-version CLI command looks like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/lambdas/
ff44a4cf-a619-47c2-95b4-13c6daf8cf47/versions/8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3",
"Id" : "ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Version" : "8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3",
"CreationTimestamp" : "2017-05-17T18:54:17.227Z"
}
Make a note the ARN of the Lambda denition version. You will need it later.
You can view the Lambda function list using the get-function-version CLI command.
25
AWS Greengrass Developer Guide
Create a Subscription Denition
--function-definition-id
The output of the get-function-definition-version CLI command will look like this:
{
"Definition": {
"Functions": [
{
"FunctionConfiguration": {
"Executable": "messageLambda.message_handler",
"MemorySize": 128000,
"Timeout": 3
},
"Id": "message-lambda",
"FunctionArn": "arn:aws:lambda:us-
west-2:123451234510:function:messageLambda:storyLineMessage"
},
{
"FunctionConfiguration": {
"Executable": "uptimeLambda.uptime_handler",
"MemorySize": 128000,
"Timeout": 3
},
"Id": "uptime-lambda",
"FunctionArn": "arn:aws:lambda:us-
west-2:123451234510:function:uptimeLambda:storyLineUptime"
}
]
},
"Version": "8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3",
"CreationTimestamp": "2017-05-17T18:54:17.227Z",
"Id": "ff44a4cf-a619-47c2-95b4-13c6daf8cf47",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/lambdas/
ff44a4cf-a619-47c2-95b4-13c6daf8cf47/versions/8bdd9e9f-c2be-41a0-8cb2-2b8e952013c3"
}
26
AWS Greengrass Developer Guide
Create a Subscription Denition
"LastUpdatedTimestamp": "2017-05-17T20:20:40.534Z",
"CreationTimestamp": "2017-05-17T20:20:40.534Z",
"Id": "17d6cb13-3745-496c-9187-29316b37115e",
"Arn":"arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
subscriptions/17d6cb13-3745-496c-9187-29316b37115e",
"Name": "<MySubscriptionDefinition>"
}
27
AWS Greengrass Developer Guide
Create a Subscription Denition
},
{
"Id":"10",
"Source":"GGShadowService",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted",
"Target": "<RobotArm_Thing-arn>"
},
{
"Id":"11",
"Source":"GGShadowService",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/rejected",
"Target": "<RobotArm_Thing-arn>"
}
]'
--subscription-definition-id
The output from the create-subscription-definition-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
subscriptions/17d6cb13-3745-496c-9187-29316b37115e/versions/0ad227b8-3d1d-43f6-
bcc9-446201386e69",
"Id" : "17d6cb13-3745-496c-9187-29316b37115e",
"Version" : "0ad227b8-3d1d-43f6-bcc9-446201386e69",
"CreationTimestamp" : "2017-05-17T21:15:00.350Z"
}
You can view a subscription denition using the get-subscription-definition-version CLI command:
--subscription-definition-id
28
AWS Greengrass Developer Guide
Create a Subscription Denition
--subscription-definition-version-id
The output of the get-subscription-definition-version CLI command will look like this:
{
"Definition": {
"Subscriptions": [
{
"Source": "<Switch_Thing-arn>",
"Target": "GGShadowService",
"Id": "1",
"Subject": "$aws/things/RobotArm_Thing/shadow/update"
},
{
"Source": "GGShadowService",
"Target": "<RobotArm_Thing-arn>",
"Id": "10",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted"
},
{
"Source": "GGShadowService",
"Target": "<RobotArm_Thing-arn>",
"Id": "11",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/rejected"
},
{
"Source": "<RobotArm_Thing-arn>",
"Target": "<uptimeLambda-arn>",
"Id": "2",
"Subject": "/topic/state"
},
{
"Source": "<RobotArm_Thing-arn>",
"Target": "GGShadowService",
"Id": "3",
"Subject": "$aws/things/RobotArm_Thing/shadow/update"
},
{
"Source": "GGShadowService",
"Target": "<RobotArm_Thing-arn>",
"Id": "4",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/delta"
},
{
"Source": "<uptimeLambda-arn>",
"Target": "cloud",
"Id": "5",
"Subject": "/topic/metering"
},
{
"Source": "<messageLambda-arn>",
"Target": "GGShadowService",
"Id": "6",
"Subject": "$aws/things/RobotArm_Thing/shadow/update"
},
{
"Source": "cloud",
"Target": "<messageLambda-arn>",
"Id": "7",
"Subject": "/topic/update"
},
{
29
AWS Greengrass Developer Guide
Create a Logger Denition
"Source": "GGShadowService",
"Target": "<Switch_Thing-arn>",
"Id": "8",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/accepted"
},
{
"Source": "GGShadowService",
"Target": ,
"Id": "9",
"Subject": "$aws/things/RobotArm_Thing/shadow/update/rejected"
}
]
},
"Version": "0ad227b8-3d1d-43f6-bcc9-446201386e69",
"CreationTimestamp": "2017-05-17T21:15:00.350Z",
"Id": "17d6cb13-3745-496c-9187-29316b37115e",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/
subscriptions/17d6cb13-3745-496c-9187-29316b37115e/versions/0ad227b8-3d1d-43f6-
bcc9-446201386e69"
}
The output from the create-logger-definition CLI command will look like this:
{
"LastUpdatedTimestamp": "2017-05-17T21:18:55.331Z",
"CreationTimestamp": "2017-05-17T21:18:55.331Z",
"Id": "beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Arn":"arn:aws:greengrass-us-west-2:123451234510:/greengrass/definition/loggers/
beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Name": "<MyLoggerDefinition>"
}
30
AWS Greengrass Developer Guide
Create a Logger Denition
"Space": 5120,
"Type": "FileSystem"
}]'
--logger-definition-id
The logging level. Valid values are DEBUG, INFO, WARN, ERROR, FATAL.
Space
The output from the create-logger-definition-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/logging/
beab53cc-098c-4ad2-ac7c-45a70fbde559/versions/ca679860-e5a1-4872-88f6-99a4ca988fc3",
"Id" : "beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Version" : "ca679860-e5a1-4872-88f6-99a4ca988fc3",
"CreationTimestamp" : "2017-05-17T21:26:58.438Z"
}
Save the output of create-logger-definition-version. You will use the "Arn" eld to add the list to
the group later.
To view the logging list version you just created, run the get-logging-list-version CLI command:
--logger-definition-id
The output from the get-logger-definition-version CLI command will look like this:
31
AWS Greengrass Developer Guide
Update Your Group
{
"Definition": {
"Loggers": [
{
"Type": "FileSystem",
"Space": 5120,
"Component": "Lambda",
"Id": "lambda-logs",
"Level": "DEBUG"
},
{
"Type": "FileSystem",
"Space": 5120,
"Component": "GreengrassSystem",
"Id": "system-logs",
"Level": "INFO"
}
]
},
"Version": "ca679860-e5a1-4872-88f6-99a4ca988fc3",
"CreationTimestamp": "2017-05-17T21:26:58.438Z",
"Id": "beab53cc-098c-4ad2-ac7c-45a70fbde559",
"Arn": "arn:aws:greengrass:us-west-2:123451234510:/greengrass/definition/logging/
beab53cc-098c-4ad2-ac7c-45a70fbde559/versions/ca679860-e5a1-4872-88f6-99a4ca988fc3"
}
--group-id
32
AWS Greengrass Developer Guide
Create a Deployment
The output of the create-group-version CLI command will look like this:
{
"Arn" : "arn:aws:greengrass:us-west-2:123451234510:/greengrass/
groups/4462f873-9299-440b-a6d6-94cd9560bc6e/versions/33210262-2b2d-47c1-913c-657fc7d08513",
"Id" : "4462f873-9299-440b-a6d6-94cd9560bc6e",
"Version" : "33210262-2b2d-47c1-913c-657fc7d08513",
"CreationTimestamp" : "2017-05-17T21:36:06.166Z"
}
Create a Deployment
Now that your AWS Greengrass group is created and populated with a core denition, a device denition,
a Lambda function denition, and a subscription denition, you can deploy the group conguration to
your AWS Greengrass core device.
--group-id
The group version ID of the group you want to deploy. Each group will have a version that
corresponds to dierent group changes you have made.
The output of the create-deployment CLI command will look like this:
{
"DeploymentId": "4db95ef8-9309-4774-95a4-eea580b6ceef",
"DeploymentArn": "arn:aws:greengrass:us-west-2:106511594199:/greengrass/groups/
b744ed45-a7df-4227-860a-8d4492caa412/deployments/4db95ef8-9309-4774-95a4-eea580b6ceef"
}
You can check the status of the deployment with the get-deployment-status CLI command:
--deployment-id
The output of the get-deployment-status CLI command will look like this:
{
"DeploymentStatus": "Success",
"UpdatedAt": "2017-04-04T00:00:00.000Z"
33
AWS Greengrass Developer Guide
Updating the Connectivity Information Service
The DeploymentStatus is set to Building when the deployment is being prepared. When the deployment
is ready but the AWS Greengrass core has not picked up the new deployment, the DeploymentStatus is
InProgress.
--thing-name
The name of your AWS Greengrass core AWS IoT thing (for example, GGC_Thing).
--connectivity-info
The port for your AWS Greengrass core (for example, 8883).
Metadata
The output of the update-connectivity-info CLI command will look like this:
{
"Version": "6ffc9b20-4ce0-427e-9c8c-403459f92d02"
}
Device Conguration
Download the AWS IoT Device SDK for C++ on Github. Inside the folder named samples you will nd the
examples for this scenario.
The code running on our two devices, switch and robot arm, was built using the AWS IoT Device SDK
for C++. The package includes a version of the SDK and the switch and robot arm samples. Follow these
instructions to compile the devices on your AWS Greengrass core:
34
AWS Greengrass Developer Guide
Device Conguration
After the device code is compiled, the device binaries are located in the /aws-iot-device-sdk-cpp/
build/bin directory. In order to connect to AWS IoT and retrieve the connectivity information of your
AWS Greengrass core, your devices need certicates to authenticate with AWS IoT. These certicates are
the same certicates you downloaded when you created your device things on AWS IoT.
Copy the certicates you downloaded for your RobotArm_Thing into the /aws-iot-device-sdk-cpp/
build/bin/certs/robotArm/ folder. The certicate and private key are used to authenticate the device
with AWS IoT. Download the AWS IoT CA certicate from VeriSign Class 3 Public Primary G5 root CA
certicate. Rename this le root-ca.pem and place it in the /certs/robotArm/ folder. The root-ca.pem is
used by the device to verify the identity of the AWS IoT service. Copy the certicate and private key you
downloaded for your Switch_Thing into /aws-iot-device-sdk-cpp/build/bin/certs/switch/ folder
along with a copy of root-ca.pem.
RobotArmConfig.json
SwitchConfig.json
endpoint
If you used a dierent name for the AWS IoT thing that represents the robotic arm, replace client_id
and thing_name with the name you are using. You must also make changes in Lambda functions and
device codes.
35
AWS Greengrass Developer Guide
Running the Scenario
endpoint
The IP address or domain name of the AWS IoT endpoint. For the production environment, the
endpoint is greengrass.iot.AWS_REGION.amazonaws.com.
root_ca_certificate_path
If you used a dierent name for the AWS IoT thing that represents the switch, replace client_id and
thing_name with the name you are using. You must also make changes in Lambda functions and device
codes. Now run the devices!
Run Greengrass
To run the AWS Greengrass core with the storyline conguration, see Run the AWS Greengrass
Core Software (p. 16). When the deployment is complete, you can see your uptimeLambda and
messageLambda functions deployed in the /greegrass/lambda/ folder.
To run the switch sample, change to the /aws-iot-device-sdk-cpp/build/bin directory, and then run
the ./switch-sample command. The device prompts you to enter 1 for on, 0 for o, and q for quit. Type
1, and then press Enter. This updates the state of the robot arm to on. Type 0 to turn the state of the
robot arm to o. Type q to quit this program. When you turn the robot arm on and o, you should see
the state change on the robot arm device terminal where the program is running.
The robot arm is congured to sync its local shadow state with the cloud shadow. When its state
changes, the cloud shadow is updated automatically. To check its state, in the AWS IoT console, navigate
to the thing details page for RobotArm_Thing , and then choose the Shadow link.
If the AWS Greengrass core has an active internet connection, go to the AWS IoT console to view
messages that are being published by your Lambda functions. Use the test functionality in the AWS
IoT console to subscribe to the/topic/metering topic. If your AWS Greengrass core has an internet
connection, the state of the robot arm is published to this topic.
To control the robot arm from the cloud, you can publish the following messages to the /topic/update
topic:
36
AWS Greengrass Developer Guide
Tutorial: Deploying a Simple Lambda
Function to AWS Greengrass
If you receive an error code, you can nd out more details about the nature of the error code by
searching through ResponseCode.hpp. This le can be found in either of the following locations:
On GitHub: ResponseCode.hpp
Supported platform:
Armv7l
Raspberry Pi 3 Model B - Raspbian Jessie 2017-03-02
X86_64
Amazon EC2 Instance - Amazon Linux - amzn-ami-hvm-2016.09.1.20170119-x86_64-ebs
AARCH64
Annapurna Alpine V2 Platform-on-Chip uATX Development Board with Ubuntu 14.04 Kernel 4.1.3
with the following enabled:
CONFIG_DEVPTS_MULTIPLE_INSTANCES
CONFIG_OF_OVERLAY
CONFIG_OVERLAY_FS
CONFIG_POSIX_MQUEUE
CONFIG_SECCOMP
CONFIG_SECCOMP_FILTER
CONFIG_HAVE_ARCH_SECCOMP_FILTER
1. Open the AWS home page, and choose Create an AWS Account.
2. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call and
entering a PIN using your phone keypad.
37
AWS Greengrass Developer Guide
Sign in to the AWS Greengrass Console
38
AWS Greengrass Developer Guide
Create an AWS Greengrass
Group and AWS Greengrass Core
39
AWS Greengrass Developer Guide
Create an AWS Greengrass
Group and AWS Greengrass Core
2. Use the default name for your AWS Greengrass core, and then choose Next.
40
AWS Greengrass Developer Guide
Create an AWS Greengrass
Group and AWS Greengrass Core
4. Click the links to download the private key, public key, and certicate for your AWS Greengrass core.
41
AWS Greengrass Developer Guide
Create an AWS Greengrass
Group and AWS Greengrass Core
5. Choose the CPU architecture your AWS Greengrass core will be running, and then choose Download
Greengrass to download the Greengrass software package. When the download is complete, choose
Finish.
42
AWS Greengrass Developer Guide
Congure and Start Your Greengrass Core Device
1. Use the following commands to add a user named ggc_user and a group named ggc_group:
43
AWS Greengrass Developer Guide
Congure and Start Your Greengrass Core Device
Hardlink/softlink protection
The AWS Greengrass core software checks if hardlink/softlink protection is activated on the operating
system at startup. We recommend that you activate this protection to improve security on your device.
Follow these steps.
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
sudo reboot
If the system variables were set successfully, the following text is displayed:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
Use the following commands to add a user named ggc_user and a group named ggc_group:
Hardlink/softlink protection
The AWS Greengrass core software checks if hardlink/softlink protection is activated on the operating
system at startup. We recommend that you activate this protection to improve security on your device.
Follow these instructions.
44
AWS Greengrass Developer Guide
Copy and Extract the Greengrass
Software Package onto Your Core Device
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
sudo reboot
If the system variables were set successfully, the following text is displayed:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
apt-get update
apt-get install sqlite3
3. Set up cgroups:
greengrass-platform-version.tar.gz
45
AWS Greengrass Developer Guide
Install Certicates on Your AWS Greengrass Core Device
Use the scp command to copy the Greengrass software package into the home directory of your
AWS Greengrass core device:
Note
Replace the IP_ADDRESS used in this command with the IP address of your AWS Greengrass
core device. In this example, we are using the Greengrass software package for Raspberry Pi
3.
3. On your AWS Greengrass core device, use the following command to expand the package:
File Description
Note
You can use the scp command to copy the les to your AWS Greengrass core device.
By default, you do not have permission to copy the les directly to /greengrass/
configuration/certs. To work around this, copy the les to your user directory and
then use sudo mv file-name to move the les to the /greengrass/configuration/certs
directory.
1. Find the thing ARN for your AWS Greengrass core. In the AWS Greengrass console, from the
navigation page, choose Groups.
46
AWS Greengrass Developer Guide
Congure Your Greengrass Core
47
AWS Greengrass Developer Guide
Congure Your Greengrass Core
48
AWS Greengrass Developer Guide
Congure Your Greengrass Core
6. On your AWS Greengrass core device, open the /greengrass/configuration/config.json le. It will
initially look like this:
{
"coreThing": {
"caPath": "<ROOT_CA_PEM_HERE>",
"certPath": "<CLOUD_PEM_CRT_HERE>",
"keyPath": "<CLOUD_PEM_KEY_HERE>",
"thingArn": "<THING_ARN_HERE>",
"iotHost": "<HOST_PREFIX_HERE>.iot.<AWS_REGION_HERE>.amazonaws.com",
"ggHost": "greengrass.iot.<AWS_REGION_HERE>.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "[yes|no]"
}
}
}
{
"coreThing": {
"caPath": "root-ca.pem",
"certPath": "cloud.pem.crt",
"keyPath": "cloud.pem.key",
"thingArn": arn:aws:iot:us-west-2:049039099382:thing/GGTestGroup42_Core",
"iotHost": "your-AWS-IoT-endpoint,
"ggHost": "greengrass.iot.us-west-2.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "yes"
}
}
49
AWS Greengrass Developer Guide
Start Your AWS Greengrass Core to Connect It to the Cloud
Attribute Description
If the Greengass daemon starts successfully, you should see the following output:
50
AWS Greengrass Developer Guide
Create a "Hello World" Lambda Function
Note
Linux control groups (cgroups) are used to limit the resources that can be accessed by Lambda
functions that run on your AWS Greengrass core device.
You can automatically recongure the Lambda cgroup when you reboot your AWS Greengrass
core device by adding cgroup /sys/fs/cgroup cgroup defaults 0 0 to the /etc/fstab le on
your AWS Greengrass core device.
1. From the Service drop-down menu, navigate to the AWS Lambda console.
51
AWS Greengrass Developer Guide
Create a "Hello World" Lambda Function
3. In the Filter text box, type Greengrass, and then choose the greengrass-hello-world Lambda
function blueprint.
4. Choose Next.
6. Scroll down until you see Lambda function handler and role. For Role, select Choose an existing
role. For Existing role, select any role. If you don't have a role, select Create a new role from
template(s), and then choose any template from the Policy templates drop-down list. Choose Next.
52
AWS Greengrass Developer Guide
Create a "Hello World" Lambda Function
53
AWS Greengrass Developer Guide
Add the Lambda Function to Your Group Denition
8. Now you need to publish a new version of the Hello World Lambda function. From the Actions
menu, choose Publish new version.
1. In the AWS IoT console, choose Greengrass, and then choose Groups.
2. Select the tile for your group.
3. In the navigation pane, choose Lambdas, and then choose Add your rst Lambda.
54
AWS Greengrass Developer Guide
Add the Lambda Function to Your Group Denition
5. Select the Hello World Lambda function you created eariler, and then choose Next.
55
AWS Greengrass Developer Guide
Congure the HelloWorld Lambda Function
6. Select the version of the Hello World Lambda function to use, and then choose Finish.
1. In the AWS Greengrass console, choose Lambdas, and then choose the HelloWorld Lambda
function.
56
AWS Greengrass Developer Guide
Add a Subscription to Your Group Denition
2. In the upper-right corner of the Lambda tile, choose the ellipsis, and then choose Edit
Conguration.
3. Under Lambda lifecycle, select Make this function long-lived and keep it running indenitely, and
then choose Update.
1. In the AWS Greengrass console, nd your group, and then select it.
2. On the group details page, choose Subscriptions.
3. Choose Add your rst Subscription.
57
AWS Greengrass Developer Guide
Add a Subscription to Your Group Denition
58
AWS Greengrass Developer Guide
Add a Subscription to Your Group Denition
59
AWS Greengrass Developer Guide
Add a Subscription to Your Group Denition
6. Choose Next.
7. A topic lter can be used to control which data is made available for the target. By default,
subscriptions use a wildcard topic ("#") and will pass all information from the source to the target.
60
AWS Greengrass Developer Guide
Deploy Your Group
You will now add hello/world as the topic lter for this subscription. In Optional topic lter, type
hello/world, and then choose Next.
61
AWS Greengrass Developer Guide
Deploy Your Group
1. In the AWS Greengrass console, choose Groups, choose your group, and then choose Deployments.
2. From the Actions menu, choose Deploy.
3. On the Congure how Devices discover your Core page, choose Automatic detection.
4. On the Grant permission to access other services page, choose Grant permission.
62
AWS Greengrass Developer Guide
Verify the Lambda Function Is Running on Your Core Device
Your deployment might take a couple of minutes. You will know the deployment was successful when a
Deployment successfully completed message is displayed in the group details page:
63
AWS Greengrass Developer Guide
Verify the Lambda Function Is Running on Your Core Device
In Subscription topic, type hello/world, and then choose Subscribe to topic to subscribe to the hello/
world topic.
If the hello world Lambda function is running on your AWS Greengrass core device, it publishes
messages to the hello/world topic and is displayed in the AWS IoT console:
64
AWS Greengrass Developer Guide
Verify the Lambda Function Is Running on Your Core Device
65
AWS Greengrass Developer Guide
Request
All devices that communicate with an AWS Greengrass core must be a member of a Greengrass
group. Each group must have an AWS Greengrass core. The Discovery API enables devices to retrieve
information required to connect to an AWS Greengrass core that is in the same Greengrass group as the
device. When a device rst comes online, it can connect to the AWS Greengrass cloud service and use the
Discovery API to nd:
https://your-aws-endpoint/greengrass/discover/thing/thing-name
The endpoint is specic to your AWS account. To retrieve your endpoint, use theaws iot describe-
endpoint CLI command:
Use port 8443 when connecting. For a list of region-specic endpoints, see AWS IoT Regions and
Endpoints in the AWS General Reference. This is a data plane only API. The endpoints used for working
with rules, certicates, and policies do not support the Discovery API.
Request
The request contains the standard HTTP headers and is sent to the following URI:
66
AWS Greengrass Developer Guide
Response
Response
Response
Upon success, the response includes the standard HTTP headers plus the following code and body:
HTTP 200
BODY: response document
For more information see, Example Discover Response Documents (p. 67).
Authorization
Retrieving the connectivity information requires a policy that allows the caller to perform
thegreengrass:Discoveraction. TLS mutual authentication with a client certicate is the only accepted
form of authentication. The following is an example policy that allows a caller to perform this action:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "greengrass:Discover",
"Resource": ["arn:aws:iot:aws-region:aws-account:thing/thing-name"]
}]
}
{
"GGGroups": [
{
"GGGroupId": "gg-group-01-id",
"Cores": [
{
"thingArn": "core-01-thing-arn",
"Connectivity": [
{
"id": "core-01-connection-id",
"hostAddress": "core-01-address",
"portNumber": core-01-port,
"metadata": "core-01-description"
}
]
}
],
"CAs": [
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----"
]
}
]
}
67
AWS Greengrass Developer Guide
Example Discover Response Documents
The following document shows the response for a device that is a member of two groups with one AWS
Greengrass core, multiple endpoints, and multiple group CAs:
{
"GGGroups": [
{
"GGGroupId": "gg-group-01-id",
"Cores": [
{
"thingArn": "core-01-thing-arn",
"Connectivity": [
{
"id": "core-01-connection-id",
"hostAddress": "core-01-address",
"portNumber": core-01-port,
"metadata": "core-01-connection-1-description"
},
{
"id": "core-01-connection-id-2",
"hostAddress": "core-01-address-2",
"portNumber": core-01-port-2,
"metadata": "core-01-connection-2-description"
}
]
}
],
"CAs": [
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----"
]
},
{
"GGGroupId": "gg-group-02-id",
"Cores": [
{
"thingArn":"core-02-thing-arn",
"Connectivity" : [
{
"id": "core-02-connection-id",
"hostAddress": "core-02-address",
"portNumber": core-02-port,
"metadata": "core-02-connection-1-description"
}
],
"CAs": [
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----cert-contents-----END CERTIFICATE-----"
]
}
]
}
}
Note
An AWS Greengrass group must dene exactly one AWS Greengrass core. Any response from the
AWS Greengrass cloud service that contains a list of AWS Greengrass cores only contains one
AWS Greengrass core.
68
AWS Greengrass Developer Guide
AWS Greengrass uses X.509 certicates, managed subscriptions, AWS IoT policies, and IAM policies and
roles to ensure your Greengrass applications are secure. AWS Greengrass core devices require an AWS IoT
thing, a device certicate, and an AWS IoT policy to communicate with the Greengrass cloud service.
This allows AWS Greengrass core devices to securely connect to the AWS IoT cloud services. It also allows
the Greengrass cloud service to deploy conguration information, Lambda functions, and managed
subscriptions to AWS Greengrass core devices.
AWS IoT devices require an AWS IoT thing, a device certicate, and an AWS IoT policy to connect to the
Greengrass service. This allows AWS IoT devices to use the Greengrass Discovery Service to nd and
connect to an AWS Greengrass core device. AWS IoT devices use the same device certicate used to
connect to AWS IoT device gateway and AWS Greengrass core devices. The following diagram shows the
components of the AWS Greengrass security model:
69
AWS Greengrass Developer Guide
Conguring Greengrass Security
A customer-created IAM role that allows AWS Greengrass access to your AWS IoT and Lambda
resources.
B - Core device certicate
A role assumed by AWS Greengrass when calling into the cloud from a Lambda function on an AWS
Greengrass core.
E - Group CA
A root CA certicate used by AWS Greengrass devices to validate the certicate presented by an AWS
Greengrass core device during TLS mutual authentication.
1. Create an AWS IoT thing for your AWS Greengrass core device.
2. Generate a key pair and device certicate for your AWS Greengrass core device.
3. Create and attach an AWS IoT policy to the device certicate. The certicate and policy allow the
AWS Greengrass core device access to AWS IoT and Greengrass cloud services.
4. Create a Greengrass service role. This IAM role grants AWS Greengrass access to your Greengrass and
AWS IoT resources. You only need to create a service role once per AWS account.
5. (Optional) Create a Greengrass group role. This role grants permission to Lambda functions running
on an AWS Greengrass core to call other AWS services (in the cloud). You need to do this for each
Greengrass group you create.
6. Create an AWS IoT thing for each device that will connect to your AWS Greengrass core.
7. Create device certicates, key pairs, and AWS IoT policies for each device that will connect to your
AWS Greengrass core.
Note
You can also use existing AWS IoT things and certicates.
An AWS Greengrass core device uses its device certicate, private key, and the AWS IoT root CA
certicate to connect to the Greengrass cloud service .
The AWS Greengrass core device downloads group membership information from the Greengrass
service.
When a deployment is made to the AWS Greengrass core device, the Device Certicate Manager (DCM)
handles certicate management for the AWS Greengrass core device.
70
AWS Greengrass Developer Guide
Greengrass Messaging Workow
An AWS IoT device connects to the Greengrass cloud service using its device certicate, private key,
and the AWS IoT root CA. After making the connection, the AWS IoT device uses the Greengrass
Discovery Service to nd the IP address of its AWS Greengrass core device. The device can also
download the group's root CA certicate, which can be used to authenticate the Greengrass core
device.
An AWS IoT device attempts to connect to the AWS Greengrass core, passing its device certicate
and client ID. If the client ID matches the thing name of the device and the certicate is valid, the
connection is made. Otherwise, the connection is terminated.
If there is no internet connection when the AWS Greengrass core attempts to get a new MQTT
core server certicate, AWS IoT devices are unable to connect to the AWS Greengrass core until the
connection to the Greengrass cloud service is restored and a new MQTT core server certicate can be
downloaded.
When AWS IoT devices are disconnected from a core, they have to wait a short period of time and then
attempt to reconnect to the AWS Greengrass core device.
71
AWS Greengrass Developer Guide
Conguring Greengrass Logging
AWS Greengrass consists of the cloud service and the AWS Greengrass core software. The AWS
Greengrass core software can write logs to CloudWatch Logs or to the local le system of your AWS
Greengrass core device. If the logging component is congured to log events to the local le system, the
log les are stored under /greengrass/var/log with the following directory structure:
/greengrass/var
- log
- system
- log files for each Greengrass system components
- user
- log files generated by each Lambda function
Currently, for le system logging, we support size-based rotation and automatic cleanup when the
amount of log data is close to the congured limit.
{
"loggingModelList": [
{
"Type": "log-storage-type",
"Component": component-type,
"Level": logging-level,
"Space": max-storage
},
{
"Type": ... ,
"Level": ... ,
...
}
]
}
72
AWS Greengrass Developer Guide
Required IAM Permissions
Type
AWSCloudWatch and FileSystem. This eld species which storage mechanism is used for log events.
When AWSCloudWatch is used, log events are sent to CloudWatch with a limited number of retries
in case there's no internet connectivity. After the retries are exhausted, the event is dropped. When
FileSystem is used, log events are stored on the local le system.
Component
Supported values are GreengrassSystem and Lambda. When GreengrassSystem is used, log events
from Greengrass system components are ltered based on the log level threshold and stored to the
designated location. Depends on the Type. When Lambda is used, log events from a user's Lambda
functions are ltered based on the log level and stored to the designated location. Again, depends
on the Type.
Level
Log events below this threshold are ltered out and aren't stored.
Space
The maximum amount of local storage, in KB, to use for storing logs. This eld applies only when
Type is set to FileSystem.
If logging is not congured, before the rst deployment, the AWS Greengrass core software does not
contain any logging conguration information. It uses the following settings:
[
{
"Type": "FileSystem",
"Component": "GreengrassSystem",
"Level": "INFO",
"Space": 128
}
]
After the rst deployment, if you explicitly congure the Greengrass software to emit no logs, none will
be emitted. If you don't congure logging, the following settings are used by default:
[
{
"Type": "FileSystem",
"Component": "GreengrassSystem",
"Level": "INFO",
"Space": 128
},
{
"Type": "FileSystem",
"Component": "Lambda",
"Level": "INFO",
"Space": 128
}
]
73
AWS Greengrass Developer Guide
Logging Output
logs:PutLogEvents
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogStreams
Logging Output
If the logging component is congured to write logs to CloudWatch, the following log groups are
displayed:
/aws/greengrass/GreengrassSystem/GreengrassSystemComponentName
/aws/greengrass/Lambda/aws-region/accountId/lambda-function-name
Under each log group, you see log streams with the following structure:
date/accountId/greengrass-group-id/name-of-core-that-generated-log
The AWS Greengrass core logs look the same whether they are written to local storage or to CloudWatch
Logs. The format for AWS Greengrass system logs is:
Memory
If AWS Greengrass is congured to send logs to CloudWatch and a Lambda function logs more than
5 MB/second for a prolonged period of time, the internal processing pipeline eventually lls up. The
theoretical worst case is 6 MB per Lambda function.
Clock Skew
When logging to CloudWatch is enabled, the logging component signs requests to CloudWatch using the
normal Signature Version 4 process. If the system time on the AWS Greengrass core device is out of sync
by more than 15 minutes, then the requests are rejected.
Disk Usage
Use the following formula to calculate the total maximum amount of disk usage for logging.
74
AWS Greengrass Developer Guide
Log Loss
Where:
greengrass-storage
Log Loss
If your AWS Greengrass core device is congured to log only to CloudWatch and there's no internet
connectivity, you have no way to retrieve the logs currently in the memory.
When Lambda functions are terminated (for example, during deployment), a few seconds worth of logs
are not written to CloudWatch.
75
AWS Greengrass Developer Guide
Common Issues
Symptom Solution
You see 403 Forbidden error on deployment in the Make sure the AWS Greengrass core's policy in the
logs. cloud includes "greengrass:*" as an allowed action.
Device's shadow does not sync with the cloud. Check that the AWS Greengrass core has
permissions for "iot:UpdateThingShadow" and
"iot:GetThingShadow" actions.
The AWS Greengrass core software does not run Run rpi-update to update. Raspbian has released
on Raspberry Pi because user namespace is not a new kernel 4.9 that has user namespace
enabled. enabled.
A ConcurrentDeployment error occurs when you A deployment might be in progress. You can run
run create-deployment for the rst time. get-deployment-history to see if a deployment
was created. If not, try creating the deployment
again.
The AWS Greengrass core software does not start Check that you are using the binaries
successfully. appropriate for your architecture.
Check that your AWS Greengrass core device
has local storage available.
The greengrassd script displays: unable The le descriptor limit for the AWS Greengrass
to accept TCP connection. accept tcp core software has reached the threshold and must
[::]:8000: accept4: too many open files. be increased.
ulimit -n 2048
76
AWS Greengrass Developer Guide
Troubleshooting with Logs
Symptom Solution
Note
In this example, the limit is increased to
2048. Choose a value appropriate for
your use case.
GREENGRASS_ROOT/crash.log
This folder contains all the logs from the AWS Greengrass system Lambda functions. Using the
messages in var/log/system/ and var/log/system/runtime.log, you should be able to nd out
which error occured in AWS Greengrass system Lambda functions.
Note
By default, GREENGRASS_ROOT is the /greengrass directory.
If the logs are congured to be stored on the cloud, use CloudWatch Logs to view log messages. The
crash log is still found on the AWS Greengrass core device.
If connection errors occur when system Lambda function attempt to connect to AWS IoT, look in the
AWS IoT logs in CloudWatch for more information.
Note
AWS IoT must be congured to write logs to CloudWatch.
You should always be aware of the amount of free space available locally. This can be calculated based
on the sizes of deployed Lambda functions, the logging conguration (see Troubleshooting with
Logs (p. 77)), and the number of shadows stored locally.
Troubleshooting Messsages
All messages sent within AWS Greengrass are sent with QoS 0. If an AWS Greengrass core is restarted,
messages that have not been processed yet are lost. For this reason, restart the AWS Greengrass core
when the service disruption is the lowest. The AWS Greengrass core is restarted by a deployment, too.
77