AWS IoT Greengrass
Last updated
Last updated
AWS IoT Greengrass is an AWS IoT service that enables edge devices with customizable/downloadable/installable "components" that can be run to augment what's running on the edge device itself. AWS IoT Greengrass permits the creation and publication of a "Greengrass Component" that is effectively a set of instructions and artifacts that, when installed and run, create and initiate a custom specified service.
For more information about AWS IoT Core and AWS Greengrass please review: AWS IoT Greengrass
The Edge Impulse integration with AWS IoT Core and AWS IoT Greengrass is as follows:
Edge Impulse Linux/Runner services now have a "--greengrass" option that enables the integration.
AWS Secrets Manager is used to protect the Edge Impulse API Key by removing it from view via command line arguments
The Greengrass Token Exchange Role must have Secrets Manager and IoT Core publication permission for the integration to operate correctly.
Edge Impulse has several custom Greengrass components that can be deployed and run on the Greengrass-enabled edge device for several purposes outlined below. The component recipes and artifacts can be found here: Repo.
For more information regarding the Edge Impulse Linux/Runner please review: Edge Impulse for Linux Node.js SDK.
The "edge-impulse-linux-service" allows a linux-based edge device to register itself to the Edge Impulse studio service as a device capable of relaying its sensory (typically, camera, microphone, etc...) to the Edge Impulse service to be used for data creation and model testing. The associated Greengrass component for this service allows for easy/scalable deployment of this service to edge devices.
This component will attempt to capture camera devices so typically it cannot be installed in the same edge device that has the "edge-impulse-linux-runner" component (described below) at the same time.
The "edge-impulse-linux-runner" service downloads, configures, installs, and executes an Edge Impulse model, developed for the specific edge device, and provides the ability to retrieve model inference results. In this case, our component for this service will relay the inference results into AWS IoT Core under the following topic:
This component will attempt to capture camera devices so typically it cannot be installed in the same edge device that has the "edge-impulse-linux-runner" component (described prior) at the same time.
The "edge-impulse-run-impulse" service is typically used when you want to utilize a MCU-based device to run the Edge Impulse model and you further want that device tethered to an edge device via serial/usb connections to allow its inference results to be relayed upstream. Like with the "edge-impulse-linux-runner" service, the "edge-impulse-run-impulse" component will relay inference results into AWS IoT Core via the same topic structure:
The following sections outline how one installs AWS IoT Greengrass... then installs the Edge Impulse custom components for inclusion into a Greengrass deployment down to edge devices.
AWS IoT Greengrass is based on Java and thus a Java runtime must be installed. For most linux-based devices a suitable Java can be run by simply typing:
Additionally, its recommended to update your linux device with the latest security patches and updates if available.
Greengrass is typically installed from within the AWS Console -> AWS IoT Core -> Greengrass -> Core Devices menu... select/press "Set up one core device":
It is recommended that you create a Deployment in Greengrass for your newly added Greengrass edge device and add the following available AWS Components:
Clone this repo to retrieve the Edge Impulse component recipies (yaml files) and the associated artifacts: Repo.
First, you need to go to the S3 console in AWS via AWS Console -> S3. From there, you will create an S3 bucket. For sake of example, we name this bucket "MyS3Bucket123".
Next, the following directory structure needs to be created your new bucket:
Next, navigate to the "1.0.0" directory in your S3 bucket and then press "Upload" to upload the artifacts into the bucket. You need to upload the following files (these will be located in the ./artifacts/EdgeImpulseServiceComponent/1.0.0 from your cloned repo starting in the "AWSGreengrassComponents" subdirectory). Please upload ALL of these files into S3 at the above directory location:
Your S3 Bucket contents should look like this:
Next we need to customize our Greengrass component recipe files to reflect the actual location of our artifacts stored in S3. Please replace ALL occurances of "mys3repo123987" with your S3 bucket name (i.e. "MyS3Bucket123"). Please do this for each of the 3 yaml files you have in your cloned repo under "./AWSGreengrassComponents".
Additionally, we can customize the defaulted configuration of your custom component by editing, within each yaml file, the default configuration JSON. Each yaml file's JSON is DIFFERENT... so don't edit one then copy to the other 2 yaml files... that will break your components. You must edit each yaml file separately without copy/paste of this json information.
The default configuration contains the following attributes:
The attributes in each of the above default configurations is outlined below:
node_version: Version of NodeJS to be installed by the component
vips_version: Version of the libvips library to be compiled/installed by the component
device_name: Template for the name of the device in EdgeImpulse... a unique suffix will be added to the name to prevent collisions when deploying to groups of devices
launch: service launch type (typically just leave this as-is)
sleep_time_sec: wait loop sleep time (component lifecycle stuff... leave as-is)
lock_filename: name of lock file for this component (leave as-is)
gst_args: optional GStreamer args, spaces replaced with ":", for custom video invocations
eiparams: additional parameters for launching the Edge Impulse service (leave as-is)
iotcore_backoff: number of inferences to "skip" before publication to AWS IoTCore... this is used to control publication frequency (AWS $$...)
iotcore_qos: MQTT QoS (typically leave as-is)
ei_bindir: Typical location of where the Edge Impulse services are installed (leave as-is)
ei_ggc_user_groups: A list of additional groups the Greengrass service user account will need to be a member of to allow the Edge Impulse service to invoke and operate correctly (typically leave as-is). For JetPack v6.x and above, please add "render" as an additional group.
ei_sm_secret_id: ID of the Edge Impulse API Key within AWS Secret Manager
ei_sm_secret_name: Name of the Edge Impulse API Key within AWS Secret Manager
install_kvssink: Option (default: "no", on: "yes") to build and make ready the kvssink gstreamer plugin
publish_inference_base64_image: Option (default: "no", on: "yes") to include a base64 encoded image that the inference result was based on
enable_cache_to_file: Option (default: "no", on: "yes") to enable both inference and associated image to get written to a specified local directory as a pair: .img and .json for each inference identified with a
cache_file_directory: Option (default: "none") to specify the local directory when enable_cache_to_file is set to "yes"
First we have to create an API Key in Edge Impulse via the Studio.
Next, we will go into AWS Console -> Secrets Manager and press "Store a new secret". From there we will specify:
From the AWS Console -> IoT Core -> Greengrass -> Components, select "Create component". Then:
If formatting and artifact access checks out OK, you should have a newly created component listed in your Custom Components AWS dashboard. You will need to repeat these steps for the other 2 components:
When you run a Greengrass component within Greengrass, a service user (typically a linux user called "Greengrassc_user") invokes the component, as specified in the lifecycle section of your recipe. Credentials are passed to the invoked process via its environment (NOT by the login environment of the "Greengrassc_user"...) during the invocation spawning process. These credentials are used by by the spawned process (typically via the AWS SDK which is part of the spawned process...) to connect back to AWS and "do stuff". These permissions are controlled by a AWS IAM Role called "GreengrassV2TokenExchangeRole". We need to modify that role and add "Full AWS IoT Core Permission" as well as "AWS Secrets Manager Read/Write" permission.
To modify the role, from the AWS Console -> IAM -> Roles search for "GreengrassV2TokenExchangeRole", Then:
When done, your GreengrassV2TokenExchangeRole should now show that it has "AWSIoTFullAccess", "S3FullAccess" and "SecretsManagerReadWrite" permissions added to it.
Almost done! We can now go back to the AWS Console -> IoT Core -> Greengrass -> Deployments page and select a deployment (or create a new one!) to deploy our component down to as selected gateway or group of gateways as needed.
When performing the deployment, its quite common to, when selecting one of our newly created custom components, to then "Customize" that component by selecting it for "Customization" and entering a new JSON structure (same structure as what's found in the component's assocated YAML file for the default configuration) that can be adjusted for a specific deployment (i.e. perhaps your want to change the DeviceName for this particular deployment or specify "gst_args" for a specific edge device(s) camera, etc...). This highlights the power and utility of the component and its deployment mechanism in AWS IoT Greengrass.
After the deployment is initiated, on the FIRST invocation of a given deployment, expect to wait several moments (upwards of 5-10 min in fact) while the component installs all of the necessary pre-requisites that the component requires... this can take some time so be patient. You can also log into the edge gateway, receiving the component, and examine log files found in /greengrass/v2/logs. There you will see each components' current log file (same name as the component itself... ie. EdgeImpulseLinuxServiceComponent.log...) were you can watch the installation and invocation as it happens... any errors you might suspect will be shown in those log files.
While the components are running, in addition to the /greengrass/v2/logs directory, each component has a runtime log in /tmp. The format of the log file is: "ei_lockfile_[linux | runner | serial]_<EI DEVICE>.log. Users can "tail" that log file to watch the component while it is running.
Additionally, for Jetson-based devices where the model has been compiled specifically for that platform, one can expect to have a 2-3 minute delay in the model being loaded into the GPU memory for the first time. Subsequent invocations will be very short.