AWS Greengrass
Developer Guide

Access Local Resources with Lambda Functions

This feature is available for AWS Greengrass Core v1.3.0 and greater.

Developers who use AWS Greengrass can author AWS Lambda functions in the cloud and deploy them to core devices for local execution. On Greengrass cores running Linux, these locally deployed Lambda functions can access local resources that are physically present on the Greengrass core device. For example, to communicate with devices that are connected through Modbus or CANbus, you can enable your Lambda function to access the serial port on the core device. To configure secure access to local resources, you must guarantee the security of your physical hardware and your Greengrass core device OS.

To get started accessing local resources, see the following tutorials:

Supported Resource Types

You can access two types of local resources: volume resources and device resources.

Volume resources

Files or directories on the root file system (except under /sys, /proc, /dev, and /var). Only a regular file or directory is allowed for a volume resource.

For example:

  • Folders or files used to read or write information across Greengrass Lambda functions (e.g. /usr/lib/python2.x/site-packages/local)


To configure the /var, /var/run, and /var/lib directories as volume resources, first mount the directory in a different folder and then configure the folder as a volume resource.

Device resources

Files under /dev. Only character devices or block devices under /dev are allowed for device resources.

For example:

  • Serial ports used to communicate with devices connected through serial ports (e.g. /dev/ttyS0, /dev/ttyS1)

  • USB used to connect USB peripherals (e.g. /dev/ttyUSB0 or /dev/bus/usb)

  • GPIOs used for sensors and actuators through GPIO (e.g. /dev/gpiomem)

  • GPUs used to accelerate machine learning using on-board GPUs (e.g. /dev/nvidia0)

  • Cameras used to capture images and videos (e.g. /dev/video0)


An exception is /dev/shm, which can be configured as a volume resource only. Resources under /dev/shm must be granted rw permission.

AWS Greengrass also supports resource types that are used to perform machine learning inference. For more information about machine learning resources, see Perform Machine Learning Inference.


The following requirements apply to configuring secure access to local resources:

  • You must be using AWS Greengrass Core Software v1.3.0 or greater.

  • The local resource (including any required drivers and libraries) must be properly installed on the Greengrass core device and consistently available during use.

  • The desired operation of the resource, and access to the resource, must not require root privileges.

  • Only read or read and write permissions are available. Lambdas cannot perform privileged operations on the resources.

  • You must provide the full path of the local resource on the operating system of the Greengrass core device.

  • A resource name or ID has a maximum length of 128 characters and must use the pattern [a-zA-Z0-9:_-]+.

Group Owner File Access Permission

An AWS Greengrass Lambda function process normally runs as ggc_user and ggc_group. However, you can give additional file access permissions to the Lambda function process in the local resource definition, as follows:

  • To add the permissions of the Linux group that owns the resource, use the GroupOwnerSetting#AutoAddGroupOwner parameter or Automatically add OS group permissions of the Linux group that owns the resource console option.

  • To add the permissions of a different Linux group, use the GroupOwnerSetting#GroupOwner parameter or Specify another OS group to add permission console option. The GroupOwner value is ignored if GroupOwnerSetting#AutoAddGroupOwner is true.

An AWS Greengrass Lambda function process inherits all the file system permissions of ggc_user, ggc_group, and the Linux group (if added). In order for the Lambda function to access a resource, you need to make sure that the Lambda function process has the required permissions to the resource, using the chmod(1) command to change the permission of the resource, if necessary.

See Also