參考文檔

https://docs.amazonaws.cn/en_us/greengrass/v2/developerguide/quick-installation.html?icmpid=docs_gg_console

過程記錄

准備自動化安裝過程中IAM需要的必要權限
https://docs.amazonaws.cn/en_us/greengrass/v2/developerguide/provision-minimal-iam-policy.html

本地用配置好的aws cli確認當前的IAM user

aws sts get-caller-identity

來到IAM控制臺中先創建一個policy. 注意替換account-id為自己的賬號ID, GreengrassV2TokenExchangeRole如果修改的話, 需要與後面安裝過程中在--tes-role-name後面指定的名稱一致(其實不用改, 後面不加參數默認用的就是這個名字). 另外注意此處內容中的arn:aws-cn與文檔中寫的arn:aws不一樣, 注意修改

{
    
    "Version": "2012-10-17",
    "Statement": [
        {
    
            "Sid": "CreateTokenExchangeRole",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws-cn:iam::account-id:role/GreengrassV2TokenExchangeRole",
                "arn:aws-cn:iam::account-id:policy/GreengrassV2TokenExchangeRoleAccess"
            ]
        },
        {
    
            "Sid": "CreateIoTResources",
            "Effect": "Allow",
            "Action": [
                "iot:AddThingToThingGroup",
                "iot:AttachPolicy",
                "iot:AttachThingPrincipal",
                "iot:CreateKeysAndCertificate",
                "iot:CreatePolicy",
                "iot:CreateRoleAlias",
                "iot:CreateThing",
                "iot:CreateThingGroup",
                "iot:DescribeEndpoint",
                "iot:DescribeRoleAlias",
                "iot:DescribeThingGroup",
                "iot:GetPolicy"
            ],
            "Resource": "*"
        },
        {
    
            "Sid": "DeployDevTools",
            "Effect": "Allow",
            "Action": [
                "greengrass:CreateDeployment",
                "iot:CancelJob",
                "iot:CreateJob",
                "iot:DeleteThingShadow",
                "iot:DescribeJob",
                "iot:DescribeThing",
                "iot:DescribeThingGroup",
                "iot:GetThingShadow",
                "iot:UpdateJob",
                "iot:UpdateThingShadow"
            ],
            "Resource": "*"
        }
    ]
}

將policy應用到aws cli關聯使用的用戶

SSH到樹莓派

# 安裝jre(11)
sudo apt install -y default-jre

# 創建用戶
sudo useradd --system --create-home ggc_user
sudo groupadd --system ggc_group

# 修改cgroups啟動參數
sudo vi /boot/cmdline.txt
# 在末尾追加下面內容
cgroup_enable=memory cgroup_memory=1 systemd.unified_cgroup_hierarchy=0

# 改完重啟
sudo reboot

# 重啟後使用上面配置好IAM policy的user的AK/SK信息配置系統環境變量
export AWS_ACCESS_KEY_ID=xxxx
export AWS_SECRET_ACCESS_KEY=xxxx

# 下載安裝包
cd ~
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-nucleus-latest.zip > greengrass-nucleus-latest.zip && unzip greengrass-nucleus-latest.zip -d GreengrassCore

# 檢查安裝包內的GreenGrass版本信息
java -jar ./GreengrassCore/lib/Greengrass.jar --version
# AWS Greengrass v2.5.6

# 執行安裝
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassCore/lib/Greengrass.jar --aws-region cn-north-1 --thing-name GreengrassRaspberryPi  --component-default-user ggc_user:ggc_group --provision true --setup-system-service true --deploy-dev-tools true

安裝過程中輸出內容:

Provisioning AWS IoT resources for the device with IoT Thing Name: [GreengrassRaspberryPi]...
Found IoT policy "GreengrassV2IoTThingPolicy", reusing it
Creating keys and certificate...
Attaching policy to certificate...
Creating IoT Thing "GreengrassRaspberryPi"...
Attaching certificate to IoT thing...
Successfully provisioned AWS IoT resources for the device with IoT Thing Name: [GreengrassRaspberryPi]!
Setting up resources for aws.greengrass.TokenExchangeService ...
TES role alias "GreengrassV2TokenExchangeRoleAlias" does not exist, creating new alias...
TES role "GreengrassV2TokenExchangeRole" does not exist, creating role...
IoT role policy "GreengrassTESCertificatePolicyGreengrassV2TokenExchangeRoleAlias" for TES Role alias not exist, creating policy...
Attaching TES role policy to IoT thing...
No managed IAM policy found, looking for user defined policy...
No IAM policy found, will attempt creating one...
IAM role policy for TES "GreengrassV2TokenExchangeRoleAccess" created. This policy DOES NOT have S3 access, please modify it with your private components' artifact buckets/objects as needed when you create and deploy private components
Attaching IAM role policy for TES to IAM role for TES...
Configuring Nucleus with provisioned resource details...
Downloading Root CA from "https://www.amazontrust.com/repository/AmazonRootCA1.pem"
Created device configuration
Successfully configured Nucleus with provisioned resource details!
Creating a deployment for Greengrass first party components to the device
Configured Nucleus to deploy aws.greengrass.Cli component
Creating user ggc_user
ggc_user created
Creating group ggc_group
ggc_group created
Added ggc_user to ggc_group
Successfully set up Nucleus as a system service

安裝成功後即可在Amazon IoT控制臺中看到設備的狀態: