How does Ferry work with AWS
Below we provide a walkthrough of how Ferry interacts with your AWS account given the permissions you granted in the connection step above.
Creation of a Workspace
When you create a Workspace in Ferry, Ferry provisions a S3 bucket automatically for that Workspace to store the code files, binaries & images for any Components that you will create for that Workspace.
Ferry also initializes IoT and IAM security policies for your Workspace automatically as well to ensure that your devices can register itself correctly with your AWS account, and so that your applications can be deployed to it:
Ferry creates a default default policy & role that enables your devices to speak with AWS IoT and Greengrass (the runtime that will be installed on your device)
Ferry creates default policies & roles that enable your devices to securely communicate with AWS S3 (to retrieve software applications during deployment) and CloudWatch logs.
Ferry creates a default policy & role to allow a device to request a certificate for authentication with AWS services when it is to be registered
Creation of Node Groups and Nodes
When you create a Node Group in Ferry, we automatically create a corresponding “Thing Group” in AWS IoT. And similarly, when you create a Node in Ferry belonging to a Node Group, we create a “Thing” assigned to its corresponding “Thing Group”. Ferry sets up an AWS Greengrass deployment for the Node Group when it is created; as Nodes are added to the Node Group, they receive notification of the deployment and update accordingly.
Registering a Node
Registering a Node with Ferry via your AWS account results in Ferry securely downloading AWS Greengrass and security certificates onto the device for secure communication with Ferry & your AWS account.
We register Nodes with security best-practices in mind, which means that devices should never have the ability to create or change policies & roles in AWS, and should be strictly limited to receiving security certificates from the cloud.
When you create a Node in Ferry, it is given a one-time token for registration. When you register a Node you pass the token in the registration command, and Ferry provisions one-time session access credentials for the device to be able to request a security certificate directly from AWS. The device can then use that certificate for future communication with your AWS cloud account for deployments & more!
Creating Components and Component Versions
When you create Components and Component Versions in Ferry, Ferry creates corresponding Components and Component Versions in AWS Greengrass automatically for you.
Additionally, Ferry structures your S3 buckets (where files, images and binaries for your Components reside) in a logical & structured format:
ws-{3 alphanumeric symbols}-{workspace_name}-comp-artifacts/components/{component_name}/{component_version}/{src_OR_dist}/{file_path}
Each Component Version has its own path in the Workspace S3 bucket with src/
(files that users can interact with in Ferry)and dist/
(pre-packaged files ready for distribution to devices).
When a Component Version is published and ready for deployment, Ferry ensures that the version is properly configured within your AWS Greengrass account.
Creating Deployments
Managing deployments directly within AWS Greengrass without Ferry can often be complicated. If a device has a direct AWS deployment with one component version, and separately, also resides in a “thing group” with a separate AWS deployment (to the group) with a different component version, then a device can have two (conflicting) deployments.
Additionally, updating or changing components on AWS deployments often requires manually retrieving the existing deployment, adjusting configuration to make sure all necessary components are included, and then revising the deployment. If you forget to include a component, AWS will delete it on a new deployment revision!
Ferry abstracts away this complexity through our Smart Deployments feature. We ensure that each Node can only ever one version of a component irrespective of the deployments it is to receive. And make it simple to add or remove Components to deployments.