本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
运行 AWS IoT Greengrass 资格套件的先决条件
本节介绍使用 AWS IoT Device Tester (IDT) 的先决条件。 AWS IoT Greengrass
下载 for 的最新版本 AWS IoT Device TesterAWS IoT Greengrass
下载最新版本的 IDT 并将该软件解压缩到文件系统上您拥有读/写权限的位置 (<device-tester-extract-location>)。
注意
IDT 不支持由多个用户从共享位置(如 NFS 目录或 Windows 网络共享文件夹)运行。建议您将 IDT 包解压缩到本地驱动器,并在本地工作站上运行 IDT 二进制文件。
Windows 的路径长度限制为 260 个字符。如果您使用的是 Windows,请将 IDT 提取到根目录(如 C:\ 或 D:\)以使路径长度不超过 260 个字符的限制。
下载该 AWS IoT Greengrass 软件
IDT fo AWS IoT Greengrass r V2 会测试您的设备是否与特定版本的兼容。 AWS IoT Greengrass运行以下命令将 AWS IoT Greengrass Core 软件下载到名为的文件中aws.greengrass.nucleus.zip。version替换为您的 IDT 版本支持的 nucleus 组件版本。
将下载的 aws.greengrass.nucleus.zip 文件放在 <device-tester-extract-location>/products/
注意
对于相同的操作系统和架构,请勿在此目录中放置多个文件。
创建和配置 AWS 账户
在 AWS IoT Greengrass V2 中使用 AWS IoT Device Tester 之前,必须执行以下步骤:
-
设置一个 AWS 账户. 如果您已经有 AWS 账户,请跳至步骤 2。
这些账户权限允许 IDT 代表您访问 AWS 服务和创建 AWS 资源,例如 AWS IoT 事物和 AWS IoT Greengrass 组件。
要创建这些资源,适用于 AWS IoT Greengrass V2 的 IDT 使用config.json文件中配置的 AWS 凭据代表您进行 API 调用。这些资源将在测试过程的不同时间进行预置。
注意
尽管大多数测试都符合 AWS 免费套餐
第 1 步:设置 AWS 账户
在此步骤中,将创建并配置 AWS 账户。如果您已有 AWS 账户,请跳至 步骤 2:为 IDT 配置权限。
如果您没有 AWS 账户,请完成以下步骤来创建一个。
报名参加 AWS 账户
按照屏幕上的说明操作。
在注册时,将接到电话,要求使用电话键盘输入一个验证码。
当您注册时 AWS 账户,就会创建AWS 账户根用户一个。根用户有权访问该账户中的所有 AWS 服务 和资源。作为最佳安全实践,请为用户分配管理访问权限,并且只使用根用户来执行需要根用户访问权限的任务。
要创建管理员用户,请选择以下选项之一。
| 选择一种方法来管理您的管理员 | 目的 | 方式 | 您也可以 |
|---|---|---|---|
| 在 IAM Identity Center 中 (建议) |
使用短期凭证访问 AWS。 这符合安全最佳实操。有关最佳实践的信息,请参阅《IAM 用户指南》中的 IAM 中的安全最佳实践。 |
有关说明,请参阅《AWS IAM Identity Center 用户指南》中的入门。 | 通过在《AWS Command Line Interface 用户指南》 AWS IAM Identity Center中配置 AWS CLI 要使用的来配置编程访问权限。 |
| 在 IAM 中 (不推荐使用) |
使用长期凭证访问 AWS。 | 按照 IAM 用户指南中创建用于紧急访问的 IAM 用户中的说明进行操作。 | 在 IAM 用户指南中通过 “管理 IAM 用户访问密钥” 来配置编程访问权限。 |
步骤 2:为 IDT 配置权限
在此步骤中,配置 IDT for AWS IoT Greengrass V2 用于运行测试和收集 IDT 使用情况数据的权限。您可以使用 AWS Management Console 或 AWS Command Line Interface (AWS CLI)为 IDT 创建 IAM 策略和测试用户,然后将策略附加到用户。如果您已经为 IDT 创建了测试用户,请跳转至 配置设备以运行 IDT 测试。
-
登录 IAM 控制台
。 -
创建客户托管策略,该策略授权创建具有特定权限的角色。
-
在导航窗格中,选择 策略,然后选择 创建策略。
-
如果您未使用 PreInstalled,请在 JSON 选项卡上将占位符内容替换为以下策略。如果您正在使用 PreInstalled,请继续执行以下步骤。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/idt-*", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/idt-*", "arn:aws:iot:*:*:thinggroup/idt-*", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/idt-*", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] } -
如果您使用的是 PreInstalled,请在 JSON 选项卡上将占位符内容替换为以下策略。请确保:
-
将
iotResources语句thingGroup中的thingName和替换为在被测设备 (DUT) 上安装 Greengrass 期间创建的事物名称和事物组,以添加权限。 -
将语句
passRole和roleAliasResources语句roleAlias中的和替换为passRoleForResources在 DUT 上安装 Greengrass 期间创建的角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/passRole", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/thingName", "arn:aws:iot:*:*:thinggroup/thingGroup", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/roleAlias", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }注意
如果您想使用自定义 IAM 角色作为被测设备的令牌交换角色,请务必更新策略中的
roleAliasResources语句和passRoleForResources语句以允许自定义 IAM 角色资源。 -
-
选择查看策略。
-
对于 Name (名称),请输入
IDTGreengrassIAMPermissions。在 Summary (摘要) 下,查看策略授予的权限。 -
选择创建策略。
-
-
创建 IAM 用户并附加 IDT for AWS IoT Greengrass所需的权限。
-
创建 IAM 用户。按照 IAM 用户指南的创建 IAM 用户(控制台)中的步骤 1 到 5 操作。
-
将权限附加到您的 IAM 用户:
-
在 Set permissions (设置权限) 页面上,选择 Attach existing policies to user directly (直接附加现有策略到用户)。
-
搜索您在上一步中创建的IDTGreengrassIAMPermissions策略。选中复选框。
-
-
选择下一步:标签。
-
选择 Next: Review (下一步:审核) 以查看您的选择摘要。
-
选择创建用户。
-
要查看用户的访问密钥(访问密钥 IDs 和私有访问密钥),请选择密码和访问密钥旁边的显示。要保存访问密钥,请选择Download.csv (下载 .csv),然后将文件保存到安全位置。稍后您可以使用此信息配置 AWS 凭证文件。
-
-
下一步:配置物理设备。
-
AWS CLI 如果尚未安装,请在您的计算机上进行安装和配置。按照《AWS Command Line Interface 用户指南》中安装 AWS CLI 的步骤来操作。
注意
AWS CLI 是一个开源工具,可用于通过命令行 shell 与 AWS 服务进行交互。
-
创建用于授予管理 IDT 和 AWS IoT Greengrass 角色的权限的客户托管策略。
-
如果您未使用 PreInstalled,请打开文本编辑器并将以下策略内容保存到 JSON 文件中。如果您正在使用 PreInstalled,请继续执行以下步骤。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/idt-*", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/idt-*", "arn:aws:iot:*:*:thinggroup/idt-*", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/idt-*", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] } -
如果您正在使用 PreInstalled,请打开文本编辑器并将以下策略内容保存到 JSON 文件中。请确保:
-
thingGroup在被测设备 (DUT) 上安装 Greengrass 期间创建的iotResources语句中替换thingName和,以添加权限。 -
将语句
passRole和roleAliasResources语句roleAlias中的和替换为passRoleForResources在 DUT 上安装 Greengrass 期间创建的角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"passRoleForResources", "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/passRole", "Condition":{ "StringEquals":{ "iam:PassedToService":[ "iot.amazonaws.com", "lambda.amazonaws.com", "greengrass.amazonaws.com" ] } } }, { "Sid":"lambdaResources", "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:PublishVersion", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource":[ "arn:aws:lambda:*:*:function:idt-*" ] }, { "Sid":"iotResources", "Effect":"Allow", "Action":[ "iot:CreateThing", "iot:DeleteThing", "iot:DescribeThing", "iot:CreateThingGroup", "iot:DeleteThingGroup", "iot:DescribeThingGroup", "iot:AddThingToThingGroup", "iot:RemoveThingFromThingGroup", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:CreatePolicy", "iot:AttachPolicy", "iot:DetachPolicy", "iot:DeletePolicy", "iot:GetPolicy", "iot:Publish", "iot:TagResource", "iot:ListThingPrincipals", "iot:ListAttachedPolicies", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingsInThingGroup", "iot:CreateJob", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:CancelJob" ], "Resource":[ "arn:aws:iot:*:*:thing/thingName", "arn:aws:iot:*:*:thinggroup/thingGroup", "arn:aws:iot:*:*:policy/idt-*", "arn:aws:iot:*:*:cert/*", "arn:aws:iot:*:*:topic/idt-*", "arn:aws:iot:*:*:job/*" ] }, { "Sid":"s3Resources", "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteBucket", "s3:PutObjectTagging", "s3:PutBucketTagging" ], "Resource":"arn:aws:s3::*:idt-*" }, { "Sid":"roleAliasResources", "Effect":"Allow", "Action":[ "iot:CreateRoleAlias", "iot:DescribeRoleAlias", "iot:DeleteRoleAlias", "iot:TagResource", "iam:GetRole" ], "Resource":[ "arn:aws:iot:*:*:rolealias/roleAlias", "arn:aws:iam::*:role/idt-*" ] }, { "Sid":"idtExecuteAndCollectMetrics", "Effect":"Allow", "Action":[ "iot-device-tester:SendMetrics", "iot-device-tester:SupportedVersion", "iot-device-tester:LatestIdt", "iot-device-tester:CheckVersion", "iot-device-tester:DownloadTestSuite" ], "Resource":"*" }, { "Sid":"genericResources", "Effect":"Allow", "Action":[ "greengrass:*", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:ListThings", "iot:DescribeEndpoint", "iot:CreateKeysAndCertificate" ], "Resource":"*" }, { "Sid":"iamResourcesUpdate", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:TagRole", "iam:TagPolicy", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy" ], "Resource":[ "arn:aws:iam::*:role/idt-*", "arn:aws:iam::*:policy/idt-*" ] } ] }注意
如果您想使用自定义 IAM 角色作为被测设备的令牌交换角色,请务必更新策略中的
roleAliasResources语句和passRoleForResources语句以允许自定义 IAM 角色资源。 -
-
运行以下命令,创建名为
IDTGreengrassIAMPermissions的客户管理型策略。将policy.jsonaws iam create-policy --policy-name IDTGreengrassIAMPermissions --policy-document file://policy.json
-
-
创建 IAM 用户并附加 IDT for AWS IoT Greengrass所需的权限。
-
创建 IAM 用户。在此示例设置中,用户被命名为
IDTGreengrassUser。aws iam create-user --user-name IDTGreengrassUser -
将您在步骤 2 中创建的
IDTGreengrassIAMPermissions策略附加到您的 IAM 用户。<account-id>在命令中替换为您的 ID AWS 账户。aws iam attach-user-policy --user-name IDTGreengrassUser --policy-arn arn:aws:iam::<account-id>:policy/IDTGreengrassIAMPermissions
-
-
为用户创建私密访问密钥。
aws iam create-access-key --user-name IDTGreengrassUser将输出存储在安全位置。您稍后将使用此信息来配置您的 AWS 凭证文件。
-
下一步:配置物理设备。
AWS IoT Device Tester 权限
以下策略描述了 AWS IoT Device Tester 权限。
AWS IoT Device Tester 需要这些权限才能使用版本检查和自动更新功能。
-
iot-device-tester:SupportedVersion授 AWS IoT Device Tester 予获取受支持产品、测试套件和 IDT 版本列表的权限。
-
iot-device-tester:LatestIdt授 AWS IoT Device Tester 予获取可供下载的最新 IDT 版本的权限。
-
iot-device-tester:CheckVersion授 AWS IoT Device Tester 予检查 IDT、测试套件和产品的版本兼容性的权限。
-
iot-device-tester:DownloadTestSuite授 AWS IoT Device Tester 予下载测试套件更新的权限。
AWS IoT Device Tester 还使用以下权限来报告可选指标:
-
iot-device-tester:SendMetrics授予收集 AWS 有关 AWS IoT Device Tester 内部使用情况的指标的权限。如果省略此权限,则不会收集这些指标。
