AWS for Industries

How to manage multiple IoT gateways using AWS Systems Manager


As industrial companies move toward the future of production by connecting their factories and developing faster, cheaper production method, they also face new and significant challenges. One of those challenges is reducing the time and effort to connect equipment across facilities, while maintaining edge connections. Industrial companies are often complex organizations, involving multiple AWS accounts. These can be organized by environments, projects, departments or factories. This gives rise to the need to be able to manage those device fleets remotely from a single AWS account, to maintain control and reduce complexity, resulting in faster operations and improved agility.

While there are many different ways & tools to remotely manage applications running at the edge from a central point of administration, this blog post focuses on how to do remotely install AWS IoT Greengrass v1 by using AWS Systems Manager from a single AWS account.

How to install AWS IoT Greengrass v1 using Run Command

AWS Systems Manager (formerly known as SSM) is an AWS service that allows you to view and control your infrastructure on AWS and in other environment such as On-Premise facilities. Supported machine types include Amazon Elastic Compute Cloud (Amazon EC2) instances, on-premises servers, and virtual machines (VMs), including VMs in other cloud environments. Supported operating system types include Windows Server, macOS, Raspbian, and multiple distributions of Linux.

AWS Systems Manager is a serverless service, which means you won’t need to provide and manage infrastructures to use it. With AWS Systems Manager, you pay only for what you use on the priced features, as you use them. There are no minimum fees or upfront commitments (more information here). AWS Systems Manager provides a set of features such as Automation, Run-Command, Parameter Store, Patch Manager and Inventory that are particularly useful when managing multiple devices remotely.

The architecture diagram below describes how the different AWS accounts interact with AWS IoT Greengrass v1 (GGv1) and Raspberry Pis (RPI). There are 2 accounts (account A & B) running with AWS IoT Core, that are used to separate the factories / projects within AWS. A “management” AWS account is then used to centralize operations on the remote devices.

Once you’ve registered your devices to AWS Systems Manager, you can either use Run command to run a script (Unix shell / PowerShell) to one or multiple devices, or use Automation documents to run those scripts automatically (Python scripts).

In this next section, you will le­­arn how to run the installation script remotely, by using Run Command.

How to run installation script remotely, with AWS Systems Manager


Before reading the rest of this section, we highly recommend you to read through the “Manage Raspberry Pi devices using AWS Systems Manager” blogpost (link here). This will help you getting started by connecting your devices to AWS Systems Manager, which is a requirement to complete GGv1 installation.

If you do not have access to RPIs devices, you can still test that procedure by deploying Amazon EC2 Instances (link to the documentation) and by connecting them to Systems Manager (link to the documentation).

To complete this procedure, you will need:

  • An AWS account (optional: 2 can be used to test on a multi account context).
  • An edge device such as a RPI – or a Linux Amazon EC2 instance.
  • AWS Command Line Interface (CLI) v2 configured on your laptop and on the device, with an AWS access key ID and AWS secret access key (more information on how to do this here).
  • For the device only: AWS access key ID and AWS secret access key stored as system variables or securely in a secret vaulting tool or service such as AWS Systems Manager Parameter Store (link to the documentation).
  • Optional: if AWS Systems Manager Parameter Store is used – IAM policy is required to get access to parameters (examples of IAM Policies for Parameter Store here).

Running the installation script remotely with Run Command

Step 1: Use an existing Amazon S3 bucket, or create a new one.
In order to store the command results, you will need an Amazon S3 bucket. You can either choose an existing one, or create a bucket using this CLI command:

aws s3 create-bucket --bucket ssm-outputs-<randomValue>

Step 2: Launch GGv1 installation script using AWS CLI v2 and Run Command.

The below script calls the latest version of an external script that allows automation of the core installation process and group creation. This example assumes that the access key ID and secret key are already on the device as environment variables.

Run the following CLI to launch GGv1 deployment (change “yourbucketname” by the name of the bucket you’ve just created):

aws ssm send-command \
    --document-name "AWS-RunShellScript" \
    --parameters 'commands=["sudo wget -q -O ./ && sudo chmod +x ./ && sudo -E ./ bootstrap-greengrass --region eu-central-1 --group-name MFG-corp-test-1 --core-name factory-test-core001 --ggc-root-path / --deployment-timeout 300 --hello-world-lambda --verbose" ]' \
    --targets Key=tag:Env,Values=Factory \
    --comment "Create greengrass group, install core, deploy hello world Lambda"
    --output-s3-region "eu-central-1"
    --output-s3-bucket-name "<yourbucketname>"
    --output-s3-key-prefix "runcommand-results/"

The script will check the prerequisites, install them if required, create a Greengrass group, install core software on your device, and then deploy a “Hello world” Lambda function to your core device so that you could check connectivity.

Step 3: verify the execution in the Run Command history home page.

Wait until the process is completed. if you want to know if the process is completed, go to the run command home page. If it says that **”No commands are executing.”** then go to the run command history home page to check the outputs of your command.

Step 4: check the connection between GGv1 and IoT Core.

Once you’ve completed Step 1,2,3 – take a look at AWS IoT Core, to see if you’re receiving the “Hello world” messages from the Lambda function.

1.      Go to the IoT Core home page.

2.      Click on “Test”, and specify “hello/world” then click on “Subscribe to topic”:

3.     You should see this:

If you see the Hello World messages appearing on your screen, then congratulations!

Automating the installation on all devices using AWS Systems Manager Automation

Another element might be the usage of Automation feature within AWS Systems Manager to automate the installation using documents. At time of this blogpost publication, Automation supports python3.6 | python3.7 | PowerShell Core 6.0.

You can either rewrite the shell script provided above into Python, or use the Python subprocess module to execute external commands:

import subprocess
process = subprocess.Popen(['echo', 'More output'],
stdout, stderr = process.communicate()
stdout, stderr


Subprocess.Popen() is the class that will create and manage the executed process. It only runs commands one at a time with arguments.

Step1: create Automation document for IoT Gateways

1.     Open AWS Systems Manager home page.

2.     Click on “Execute Automation”.

3.     Click on “Create Document”.

4.     Name the document as you want (e.g: “DeployGreengrassV1”).

5.     You can specify input parameters if you want for example to adapt the doc to a single, group or subgroup of factories. Scroll down until you reach the input parameters section and add your parameters. You need a name, a type and to specify if the parameter is mandatory to provide when executing the documents:

6.     Then move to the step 1 section to add your script by selecting “Run a script” in “Action Type”, by selecting the language and then by copy/pasting your script:

Step2: check the document has been successfully created

Once your document is registered with your Python installation script, you should see it on the automation page. Click on “Execute Automation” and then on “Owned by me”:

Step3: execute the document

Tags are useful if you want to easily select a target group to execute the document on. Here we suppose that we have tags that gives the edge gateways based on a Geo:

Click on execute, you’ll be brought to a new page where you can follow your document execution (overall and step by step):


If you already have Ansible playbooks or Chef recipes running from a hosted infrastructure, you can reuse them with Run Command. Also, if your devices require to move from one Account to another, you can use X.509 client certificates with multi-account registration.



In this blogpost, I showed you how to remotely install AWS IoT Greengrass v1 on Raspberry Pi devices, from a single AWS account using AWS Systems Manager. This architecture provides a simple way to manage devices at scale, in multi-AWS account environment without the need to connect to multiple administration points. Moreover, AWS Systems Manager is a serverless service, helping you to remove burden cost of a hosting centralized management infrastructure. It also reduces the TCO of such an infrastructure, by providing a “pay for what you use” pricing model.

AWS Systems Manager provide multiple features that can be leveraged to improve even further your operations when managing hybrid devices. If you’re interested into learning more, follow the links below:

·       Inventory:

·       Patch management:

·       Remote sessions:

Julien Chidiack

Julien Chidiack

DevOps at heart with passion for cutting edge technology, open-source tools and cloud-based technologies. Helping Automotive and Manufacturing companies to accelerate their transformation towards the future of production!