AWS IoT Greengrass
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Create AWS IoT Devices in an AWS IoT Greengrass Group

  1. In the AWS IoT console, choose Greengrass, choose Groups, and then choose your group.

  2. On the group configuration page, choose Devices, and then choose Add your first Device.

                            Screenshot of the Devices page with the Add your first Device
                                button highlighted.
  3. Choose Create New Device.

                            Screenshot of the Add a Device page with the Create New Device
                                button highlighted.
  4. Register this device as HelloWorld_Publisher, and then choose Next.

                            Screenshot of Create a Registry entry for a device with the Name
                                field set to HelloWorld_Publisher and the Next button
  5. For 1-Click, choose Use Defaults. This option generates a device certificate with attached AWS IoT policy and public and private key.

                            Screenshot of Set up security with the Use Defaults button
  6. Create a folder on your computer. Download the certificate and keys for your device into the folder.

                            Screenshot of the Download security credentials page with the
                                Download these resources as a tar.gz button highlighted.

    Make a note of the common hash component in the file names for the HelloWorld_Publisher device certificate and keys (in this example, bcc5afd26d). You need it later. Choose Finish.

  7. Decompress the hash-setup.tar.gz file. For example, run the following command:

    tar -xzf hash-setup.tar.gz


    On Windows, you can decompress .tar.gz files using a tool such as 7-Zip or WinZip.

  8. Choose Add Device and repeat steps 3 - 7 to add a new device to the group.

    Name this device HelloWorld_Subscriber. Download the certificates and keys for the device to your computer. Save and decompress them in the same folder that you created for HelloWorld_Publisher.

    Again, make a note of the common hash component in the file names for the HelloWorld_Subscriber device.

    You should now have two devices in your AWS IoT Greengrass group:

                            Screenshot showing the HelloWorld_Publisher and
                                HelloWorld_Subscriber devices.
  9. Review the documentation about Server Authentication in AWS IoT Core and choose the appropriate root CA certificate. We recommend that you use Amazon Trust Services (ATS) endpoints and ATS root CA certificates. Your root CA certificate type must match your endpoint. Use an ATS root CA certificate with an ATS endpoint (preferred) or a Verisign root CA certificate with a legacy endpoint. Only some AWS Regions support legacy endpoints. For more information, see Endpoints Must Match the Certificate Type.

    Save the root CA certificate as root-ca-cert.pem in the same folder as the certificates and keys for both devices. All these files should be in one folder on your computer (not on the AWS IoT Greengrass core device).

    • For ATS endpoints (preferred), download the appropriate ATS root CA certificate, such as Amazon Root CA 1.

    • For legacy endpoints, download a Verisign root CA certificate. Although legacy endpoints are acceptable for the purposes of this tutorial, we recommend that you create an ATS endpoint and download an ATS root CA certificate.


    If you're using a web browser on the Mac and you see This certificate is already installed as a certificate authority, open a Terminal window and download the certificate into the folder that contains the HelloWorld_Publisher and HelloWorld_Subscriber device certificates and keys. For example, if you're using an ATS endpoint, you can run the following command to download the Amazon Root CA 1 certificate.

    cd path-to-folder-containing-device-certificates curl -o ./root-ca-cert.pem

    Run cat root-ca-cert.pem to ensure that the file is not empty. If the file is empty, check the URL and try the curl command again.