运行 AWS IoT Greengrass 资格套件的先决条件
本节介绍使用适用于 AWS IoT Greengrass 的 AWS IoT Device Tester(IDT)先决条件。
下载适用于 AWS IoT Greengrass 的最新版本 AWS IoT Device Tester
下载 IDT 的最新版本并将软件提取到文件系统中您具有读取和写入权限的位置 (<device-tester-extract-location>)。
注意
IDT 不支持由多个用户从共享位置(如 NFS 目录或 Windows 网络共享文件夹)运行。建议您将 IDT 包解压缩到本地驱动器,并在本地工作站上运行 IDT 二进制文件。
Windows 的路径长度限制为 260 个字符。如果您使用的是 Windows,请将 IDT 提取到根目录(如 C:\ 或 D:\)以使路径长度不超过 260 个字符的限制。
下载 AWS IoT Greengrass 软件
适用于 AWS IoT Greengrass V2 的 IDT 将测试设备是否与特定版本的 AWS IoT Greengrass 兼容。运行以下命令,将 AWS IoT Greengrass Core 软件下载至名为 aws.greengrass.nucleus.zip 的文件。将版本替换为您的 IDT 版本所支持的核心组件版本。
将下载的 aws.greengrass.nucleus.zip 文件放在 <device-tester-extract-location>/products/
注意
对于相同的操作系统和架构,请勿在此目录中放置多个文件。
创建和配置 AWS 账户
在使用适用于 AWS IoT Greengrass V2 的 AWS IoT Device Tester 前,必须先执行下列步骤:
-
设置一个 AWS 账户。如果您已有 AWS 账户,请跳至步骤 2。
这些账户权限允许 IDT 代表您访问 AWS 服务和创建 AWS 资源,例如 AWS IoT 事物和 AWS IoT Greengrass 组件。
为了创建这些资源,适用于 AWS IoT Greengrass V2 的 IDT 使用在 config.json 文件中配置的 AWS 凭证来代表您发出 API 调用。这些资源将在测试过程的不同时间进行预置。
注意
尽管大多数测试都符合 AWS 免费套餐
步骤 1:设置 AWS 账户
在此步骤中,将创建并配置 AWS 账户。如果您已有 AWS 账户,请跳至 步骤 2:为 IDT 配置权限。
如果您还没有 AWS 账户,请完成以下步骤来创建一个。
注册 AWS 账户
按照屏幕上的说明进行操作。
在注册时,将接到一通电话,要求使用电话键盘输入一个验证码。
当您注册 AWS 账户时,系统将会创建一个 AWS 账户根用户。根用户有权访问该账户中的所有 AWS 服务 和资源。作为安全最佳实践,请为用户分配管理访问权限,并且只使用根用户来执行需要根用户访问权限的任务。
要创建管理员用户,请选择以下选项之一。
| 选择一种方法来管理您的管理员 | 目的 | 方式 | 您也可以 |
|---|---|---|---|
| 在 IAM Identity Center 中 (建议) |
使用短期凭证访问 AWS。 这符合安全最佳实操。有关最佳实践的信息,请参阅《IAM 用户指南》中的 IAM 中的安全最佳实践。 |
有关说明,请参阅《AWS IAM Identity Center 用户指南》中的入门。 | 按照《AWS Command Line Interface 用户指南》中的配置 AWS CLI 以使用 AWS IAM Identity Center,配置编程式访问。 |
| 在 IAM 中 (不推荐使用) |
使用长期凭证访问 AWS。 | 按照《IAM 用户指南》中的创建您的首个 IAM 管理员用户和组的说明操作。 | 按照《IAM 用户指南》中的管理 IAM 用户的访问密钥,配置编程式访问。 |
步骤 2:为 IDT 配置权限
在此步骤中,将配置适用于 AWS IoT Greengrass V2 的 IDT 运行测试和收集 IDT 使用情况数据所需的权限。您可以使用 AWS Management Console 或 AWS Command Line Interface(AWS CLI)为 IDT 创建 IAM 策略和测试用户,然后将策略附加到用户。如果您已经为 IDT 创建了测试用户,请跳转至 配置设备以运行 IDT 测试。
-
登录 IAM 控制台
。 -
创建客户托管策略,该策略授权创建具有特定权限的角色。
-
在导航窗格中,选择 策略,然后选择 创建策略。
-
若不使用“预安装”,请在 JSON 选项卡中,将占位符内容替换为以下策略。若使用“预安装”,请继续执行以下步骤。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/idt-*", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/idt-*", "arn:aws:iot:*:*:thinggroup/idt-*", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/idt-*", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] } -
若使用“预安装”,请在 JSON 选项卡中,将占位符内容替换为以下策略。请确保:
-
将
iotResources语句中的thingName和thingGroup替换为在被测设备(DUT)上安装 Greengrass 期间创建的事物名称和事物组,以添加权限。 -
将
roleAliasResources语句和passRoleForResources语句中的passRole和roleAlias替换为在 DUT 上安装 Greengrass 期间创建的角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/passRole", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/thingName", "arn:aws:iot:*:*:thinggroup/thingGroup", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/roleAlias", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }注意
如果您想使用自定义 IAM 角色作为被测设备的令牌交换角色,请务必更新策略中的
roleAliasResources语句和passRoleForResources语句以允许自定义 IAM 角色资源。 -
-
选择查看策略。
-
对于 Name (名称),请输入
IDTGreengrassIAMPermissions。在 Summary (摘要) 下,查看策略授予的权限。 -
选择创建策略。
-
-
创建 IAM 用户并附加适用于 AWS IoT Greengrass 的 IDT 所需的权限。
-
创建 IAM 用户。按照 IAM 用户指南的创建 IAM 用户(控制台)中的步骤 1 到 5 操作。
-
将权限附加到您的 IAM 用户:
-
在 Set permissions (设置权限) 页面上,选择 Attach existing policies to user directly (直接附加现有策略到用户)。
-
搜索您在上一步中创建的 IDTGreengrassIAMPermissions 策略。选中复选框。
-
-
选择下一步:标签。
-
选择 Next: Review (下一步:审核) 以查看您的选择摘要。
-
选择创建用户。
-
要查看用户的访问密钥(访问密钥 ID 和秘密访问密钥),请选择密码和访问密钥旁边的 Show (显示)。要保存访问密钥,请选择Download.csv (下载 .csv),然后将文件保存到安全位置。稍后您可以使用此信息配置 AWS 凭证文件。
-
-
下一步:配置物理设备。
-
在您的计算机上,安装并配置 AWS CLI(如果尚未安装)。按照《AWS Command Line Interface 用户指南》中安装 AWS CLI 的步骤来操作。
注意
AWS CLI 是一个开源工具,您可以使用此工具通过命令行 Shell 与 AWS 服务进行交互。
-
创建用于授予管理 IDT 和 AWS IoT Greengrass 角色的权限的客户托管策略。
-
若未使用“预安装”,请打开文本编辑器并将以下策略内容另存为 JSON 文件。若使用“预安装”,请继续执行以下步骤。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/idt-*", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/idt-*", "arn:aws:iot:*:*:thinggroup/idt-*", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/idt-*", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] } -
若使用“预安装”,请打开文本编辑器并将以下策略内容另存为 JSON 文件。请确保:
-
替换
iotResources语句中在被测设备(DUT)上安装 Greengrass 期间创建的thingName和thingGroup,以添加权限。 -
将
roleAliasResources语句和passRoleForResources语句中的passRole和roleAlias替换为在 DUT 上安装 Greengrass 期间创建的角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/passRole", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/thingName", "arn:aws:iot:*:*:thinggroup/thingGroup", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/roleAlias", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }注意
如果您想使用自定义 IAM 角色作为被测设备的令牌交换角色,请务必更新策略中的
roleAliasResources语句和passRoleForResources语句以允许自定义 IAM 角色资源。 -
-
运行以下命令,创建名为
IDTGreengrassIAMPermissions的客户管理型策略。将policy.jsonaws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document file://policy.json
-
-
创建 IAM 用户并附加适用于 AWS IoT Greengrass 的 IDT 所需的权限。
-
创建 IAM 用户。在此示例设置中,用户被命名为
IDTGreengrassUser。aws iam create-user --user-name IDTGreengrassUser -
将您在步骤 2 中创建的
IDTGreengrassIAMPermissions策略附加到您的 IAM 用户。将命令中的<account-id>替换为您的 AWS 账户 ID。aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws:iam::<account-id>:policy/IDTGreengrassIAMPermissions
-
-
为用户创建私密访问密钥。
aws iam create-access-key --user-name IDTGreengrassUser将输出存储在安全位置。稍后您可以使用此信息配置 AWS 凭证文件。
-
下一步:配置物理设备。
AWS IoT Device Tester 权限
以下策略描述了 AWS IoT Device Tester 权限。
AWS IoT Device Tester 需要获得这些权限才能进行版本检查并实现自动更新功能。
-
iot-device-tester:SupportedVersion授予 AWS IoT Device Tester 获取受支持产品、测试套件和 IDT 版本列表的权限。
-
iot-device-tester:LatestIdt授予 AWS IoT Device Tester 获取可供下载的最新 IDT 版本的权限。
-
iot-device-tester:CheckVersion授予 AWS IoT Device Tester 检查 IDT、测试套件和产品的版本兼容性的权限。
-
iot-device-tester:DownloadTestSuite授予 AWS IoT Device Tester 下载测试套件更新的权限。
AWS IoT Device Tester 还使用以下权限来报告可选指标:
-
iot-device-tester:SendMetrics授予 AWS 收集有关 AWS IoT Device Tester 内部使用情况的指标的权限。如果省略此权限,则不会收集这些指标。
