参考文档

https://docs.amazonaws.cn/en_us/greengrass/v2/developerguide/quick-installation.html?icmpid=docs_gg_console

过程记录

准备自动化安装过程中IAM需要的必要权限
https://docs.amazonaws.cn/en_us/greengrass/v2/developerguide/provision-minimal-iam-policy.html

本地用配置好的aws cli确认当前的IAM user

aws sts get-caller-identity

来到IAM控制台中先创建一个policy. 注意替换account-id为自己的账号ID, GreengrassV2TokenExchangeRole如果修改的话, 需要与后面安装过程中在--tes-role-name后面指定的名称一致(其实不用改, 后面不加参数默认用的就是这个名字). 另外注意此处内容中的arn:aws-cn与文档中写的arn:aws不一样, 注意修改

{
    
    "Version": "2012-10-17",
    "Statement": [
        {
    
            "Sid": "CreateTokenExchangeRole",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws-cn:iam::account-id:role/GreengrassV2TokenExchangeRole",
                "arn:aws-cn:iam::account-id:policy/GreengrassV2TokenExchangeRoleAccess"
            ]
        },
        {
    
            "Sid": "CreateIoTResources",
            "Effect": "Allow",
            "Action": [
                "iot:AddThingToThingGroup",
                "iot:AttachPolicy",
                "iot:AttachThingPrincipal",
                "iot:CreateKeysAndCertificate",
                "iot:CreatePolicy",
                "iot:CreateRoleAlias",
                "iot:CreateThing",
                "iot:CreateThingGroup",
                "iot:DescribeEndpoint",
                "iot:DescribeRoleAlias",
                "iot:DescribeThingGroup",
                "iot:GetPolicy"
            ],
            "Resource": "*"
        },
        {
    
            "Sid": "DeployDevTools",
            "Effect": "Allow",
            "Action": [
                "greengrass:CreateDeployment",
                "iot:CancelJob",
                "iot:CreateJob",
                "iot:DeleteThingShadow",
                "iot:DescribeJob",
                "iot:DescribeThing",
                "iot:DescribeThingGroup",
                "iot:GetThingShadow",
                "iot:UpdateJob",
                "iot:UpdateThingShadow"
            ],
            "Resource": "*"
        }
    ]
}

将policy应用到aws cli关联使用的用户

SSH到树莓派

# 安装jre(11)
sudo apt install -y default-jre

# 创建用户
sudo useradd --system --create-home ggc_user
sudo groupadd --system ggc_group

# 修改cgroups启动参数
sudo vi /boot/cmdline.txt
# 在末尾追加下面内容
cgroup_enable=memory cgroup_memory=1 systemd.unified_cgroup_hierarchy=0

# 改完重启
sudo reboot

# 重启后使用上面配置好IAM policy的user的AK/SK信息配置系统环境变量
export AWS_ACCESS_KEY_ID=xxxx
export AWS_SECRET_ACCESS_KEY=xxxx

# 下载安装包
cd ~
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-nucleus-latest.zip > greengrass-nucleus-latest.zip && unzip greengrass-nucleus-latest.zip -d GreengrassCore

# 检查安装包内的GreenGrass版本信息
java -jar ./GreengrassCore/lib/Greengrass.jar --version
# AWS Greengrass v2.5.6

# 执行安装
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassCore/lib/Greengrass.jar --aws-region cn-north-1 --thing-name GreengrassRaspberryPi  --component-default-user ggc_user:ggc_group --provision true --setup-system-service true --deploy-dev-tools true

安装过程中输出内容:

Provisioning AWS IoT resources for the device with IoT Thing Name: [GreengrassRaspberryPi]...
Found IoT policy "GreengrassV2IoTThingPolicy", reusing it
Creating keys and certificate...
Attaching policy to certificate...
Creating IoT Thing "GreengrassRaspberryPi"...
Attaching certificate to IoT thing...
Successfully provisioned AWS IoT resources for the device with IoT Thing Name: [GreengrassRaspberryPi]!
Setting up resources for aws.greengrass.TokenExchangeService ...
TES role alias "GreengrassV2TokenExchangeRoleAlias" does not exist, creating new alias...
TES role "GreengrassV2TokenExchangeRole" does not exist, creating role...
IoT role policy "GreengrassTESCertificatePolicyGreengrassV2TokenExchangeRoleAlias" for TES Role alias not exist, creating policy...
Attaching TES role policy to IoT thing...
No managed IAM policy found, looking for user defined policy...
No IAM policy found, will attempt creating one...
IAM role policy for TES "GreengrassV2TokenExchangeRoleAccess" created. This policy DOES NOT have S3 access, please modify it with your private components' artifact buckets/objects as needed when you create and deploy private components
Attaching IAM role policy for TES to IAM role for TES...
Configuring Nucleus with provisioned resource details...
Downloading Root CA from "https://www.amazontrust.com/repository/AmazonRootCA1.pem"
Created device configuration
Successfully configured Nucleus with provisioned resource details!
Creating a deployment for Greengrass first party components to the device
Configured Nucleus to deploy aws.greengrass.Cli component
Creating user ggc_user
ggc_user created
Creating group ggc_group
ggc_group created
Added ggc_user to ggc_group
Successfully set up Nucleus as a system service

安装成功后即可在Amazon IoT控制台中看到设备的状态: