# SageMaker Edge Manager Example

## Introduction

SageMaker Edge Manager is a service from Amazon SageMaker that lets you:

+ prepare custom models for edge device hardware
+ include a runtime for running machine learning inference efficiently on edge devices
+ enable the device to send samples of data from each model securely to SageMaker for relabeling and retraining.

There are two main components to this service:
+ SageMaker Edge Manager in the Cloud 
+ SageMaker Edge Agent on the Edge device

This notebook demonstrates the end-to-end workflow for getting a running SageMaker Edge Agent on the edge device. This will involve the following steps:

+ Compile the model using SageMaker Neo
+ Package the compiled model with SageMaker Edge Manager
+ Deploy with SageMaker Edge Manager Agent
+ Run inference with the model
+ Capture the model's input and output data to S3

**Note**:
Typically, the SageMaker Edge Agent is run on an edge device. For the sake of this notebook, we will run the Agent on an EC2 instance. We show how to package the compiled model and then load it to the Agent on the edge Device to make predictions with. Finally, we show how to capture model's input and output to S3 via the Agent.

This notebook is intended only for notebook instances. When you run this notebook, choose the kernel: `conda_tensorflow_p36`

**Please note**: There are pricing implications to the use of this notebook. Please refer to [Edge Manager](https://aws.amazon.com/sagemaker/edge-manager/pricing) for more information.

## Demo Setup

We need an AWS account role with SageMaker access. This role is used to give SageMaker access to S3, launch an EC2 instance and send command with Systems Manager.

In [3]:
import sagemaker
from sagemaker import get_execution_role
import boto3
import botocore
import json

role = get_execution_role()
sess = sagemaker.Session()
region = boto3.Session().region_name

In [4]:
print(role)

arn:aws:iam::254903919824:role/service-role/AmazonSageMakerServiceCatalogProductsUseRole


Locate the above printed sagemaker role from [IAM console](https://console.aws.amazon.com/iam), find and attach the following policies to role:

- AmazonEC2FullAccess 
- AmazonEC2RoleforSSM 
- AmazonS3FullAccess 
- AmazonSSMManagedInstanceCore 
- AmazonSSMFullAccess 
- AWSIoTFullAccess 

You can find more information about how to attach policies to role [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console).

**If you try this example with a real device, only attach AWSIoTFullAccess to create certificates on AWS IoT.**

In [5]:
#User Input: Set up names that will be used later in this example 

EC2_role_name = "smex_ec2_role_9"
EC2_profile_name = "smex_ec2_profile_9"
Device_role_name = "SageMaker_smex_device_role_9"


We then need an S3 bucket that would be used for storing the model artifacts generated after compilation and packaged artifacts generated after edge packaging job.

In [6]:
# S3 bucket and folders for saving model artifacts.
# Feel free to specify different bucket/folders here if you wish.
bucket = sess.default_bucket()
folder = "DEMO-Sagemaker-Edge"
compilation_output_sub_folder = folder + "/compilation-output"
iot_folder = folder + "/iot"

# S3 Location to save the model artifact after compilation
s3_compilation_output_location = "s3://{}/{}".format(bucket, compilation_output_sub_folder)

Finally, we upload the test image to S3 bucket. This image will be used in inference later.

In [7]:
keras_img_path = sess.upload_data("keras.bmp", bucket, iot_folder)

### Launch EC2 Instance

As mentioned earlier, this EC2 instance is used in place of an edge device for running the agent software.

In [8]:
ec2_client = boto3.client("ec2", region_name=region)

In [9]:
# Copyright 2021 Amazon.com.
# SPDX-License-Identifier: MIT



Generate a key pair for the EC2 instance, and save the key PEM file. We can use this key with SSH to connect to the instance. But in this notebook example, we will not use SSH, instead, we will use AWS Systems Manager to send commands to the instance instead.

In [10]:
import datetime

ec2_key_name = "edge-manager-key-" + str(datetime.datetime.now())
ec2_key_pair = ec2_client.create_key_pair(
    KeyName=ec2_key_name,
)

key_pair = str(ec2_key_pair["KeyMaterial"])
key_pair_file = open("ec2-key-pair.pem", "w")
key_pair_file.write(key_pair)
key_pair_file.close()

Create a role for the EC2 instance we are going to use. Read for detailed information about [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).

Follow steps here to [create an IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role). Note down the role name and role ARN; the role name will be used when we launch the EC2 instance, and role ARN will be needed to create inline policy.

After creation, make sure the following policies are attached to role:

- AmazonS3FullAccess 
- AmazonSSMManagedInstanceCore 
- CloudWatchAgentAdminPolicy 


Locate the same SageMaker role used for running this notebook in [Demo Setup](#Demo-Setup) in [IAM console](https://console.aws.amazon.com/iam), click `Add inline policy` button on the role summary page, choose JSON format and replace the content with below statement:

Before copying the following content, make sure you use the EC2 role ARN you just created in the `Resource` field for `iam:PassRole` action.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<account>:role/<role-name>"
        }
    ]
}
```

In [11]:
!aws iam create-role --role-name $EC2_role_name --assume-role-policy-document file://ec2-role-trust-policy.json


{
    "Role": {
        "Path": "/",
        "RoleName": "smex_ec2_role_9",
        "RoleId": "AROATWWLVETIFVBDCHELB",
        "Arn": "arn:aws:iam::254903919824:role/smex_ec2_role_9",
        "CreateDate": "2021-11-17T02:19:53Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}


In [12]:
!aws iam put-role-policy --role-name $EC2_role_name --policy-name Pass-Permissions --policy-document file://ec2-role-access-policy4.json

In [13]:
!aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --role-name $EC2_role_name

In [14]:
!aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore --role-name $EC2_role_name

In [15]:
!aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy --role-name $EC2_role_name

In [16]:
!aws iam create-instance-profile --instance-profile-name $EC2_profile_name

{
    "InstanceProfile": {
        "Path": "/",
        "InstanceProfileName": "smex_ec2_profile_9",
        "InstanceProfileId": "AIPATWWLVETIFZRJBEWGL",
        "Arn": "arn:aws:iam::254903919824:instance-profile/smex_ec2_profile_9",
        "CreateDate": "2021-11-17T02:19:58Z",
        "Roles": []
    }
}


In [17]:
!aws iam add-role-to-instance-profile --instance-profile-name $EC2_profile_name --role-name $EC2_role_name

In [18]:
import time
time.sleep(20)

Launch an EC2 C5 instance. In this example we will use an AWS deep learning AMI.

In [19]:
ami = ec2_client.describe_images(Filters=[{'Name': 'name', 'Values': ['Deep Learning AMI (Ubuntu 18.04) Version 36.0']}])['Images'][0]['ImageId']
ami

'ami-01bd6a1621a6968d7'

In [20]:
ec2_profile_name = EC2_profile_name  # the name of the role created for EC2

ec2_instance = ec2_client.run_instances(
    ImageId=ami,
    MinCount=1,
    MaxCount=1,
    InstanceType="c5.large",
    KeyName=ec2_key_name,
    IamInstanceProfile={
        "Name": ec2_profile_name,
    },
    TagSpecifications=[
        {
            "ResourceType": "instance",
            "Tags": [{"Key": "Name", "Value": "edge-manager-notebook"}],
        }
    ],
)

In [21]:
instance_id = ec2_instance["Instances"][0]["InstanceId"]
print(instance_id)

i-03880ae1c0078460b


## Compile Model using SageMaker Neo

Create a SageMaker client.

In [22]:
sagemaker_client = boto3.client("sagemaker", region_name=region)

### Download pretrained Keras model

In [23]:
import tensorflow as tf

model = tf.keras.applications.MobileNetV2()
model.save("mobilenet_v2.h5")


Instructions for updating:
If using Keras pass *_constraint arguments to layers.
Downloading data from https://github.com/JonathanCMitchell/mobilenet_v2_keras/releases/download/v1.1/mobilenet_v2_weights_tf_dim_ordering_tf_kernels_1.0_224.h5


In [24]:
import tarfile

with tarfile.open("mobilenet_v2.tar.gz", mode="w:gz") as archive:
    archive.add("mobilenet_v2.h5")

In [25]:
keras_model_path = sess.upload_data("mobilenet_v2.tar.gz", bucket, folder)

**Note**: When calling ``create_compilation_job()`` the user is expected to provide all the correct input shapes required by the model for successful compilation. If using a different model, you will need to specify the framework and data shape correctly.

In [26]:
keras_model_data_shape = '{"input_1":[1,3,224,224]}'
keras_model_framework = "keras"
target_os = "LINUX"
target_arch = "X86_64"

In [27]:
import time

keras_compilation_job_name = "Sagemaker-Edge-" + str(time.time()).split(".")[0]
print("Compilation job for %s started" % keras_compilation_job_name)

response = sagemaker_client.create_compilation_job(
    CompilationJobName=keras_compilation_job_name,
    RoleArn=role,
    InputConfig={
        "S3Uri": keras_model_path,
        "DataInputConfig": keras_model_data_shape,
        "Framework": keras_model_framework.upper(),
    },
    OutputConfig={
        "S3OutputLocation": s3_compilation_output_location,
        "TargetPlatform": {"Arch": target_arch, "Os": target_os},
    },
    StoppingCondition={"MaxRuntimeInSeconds": 900},
)

print(response)

# Poll every 30 sec
while True:
    response = sagemaker_client.describe_compilation_job(
        CompilationJobName=keras_compilation_job_name
    )
    if response["CompilationJobStatus"] == "COMPLETED":
        break
    elif response["CompilationJobStatus"] == "FAILED":
        print(response)
        raise RuntimeError("Compilation failed")
    print("Compiling ...")
    time.sleep(30)
print("Done!")

Compilation job for Sagemaker-Edge-1637115655 started
{'CompilationJobArn': 'arn:aws:sagemaker:us-east-2:254903919824:compilation-job/Sagemaker-Edge-1637115655', 'ResponseMetadata': {'RequestId': 'b1c7d75e-599e-4c73-9523-cc6a90afdc79', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'b1c7d75e-599e-4c73-9523-cc6a90afdc79', 'content-type': 'application/x-amz-json-1.1', 'content-length': '106', 'date': 'Wed, 17 Nov 2021 02:20:55 GMT'}, 'RetryAttempts': 0}}
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Compiling ...
Done!


### Package Keras Model

In [28]:
keras_packaged_model_name = "keras-model"
keras_model_version = "1.0"
keras_model_package = "{}-{}.tar.gz".format(keras_packaged_model_name, keras_model_version)

In [29]:
keras_packaging_job_name = keras_compilation_job_name + "-packaging"
response = sagemaker_client.create_edge_packaging_job(
    RoleArn=role,
    OutputConfig={
        "S3OutputLocation": s3_compilation_output_location,
    },
    ModelName=keras_packaged_model_name,
    ModelVersion=keras_model_version,
    EdgePackagingJobName=keras_packaging_job_name,
    CompilationJobName=keras_compilation_job_name,
)

print(response)

# Poll every 30 sec
while True:
    job_status = sagemaker_client.describe_edge_packaging_job(
        EdgePackagingJobName=keras_packaging_job_name
    )
    if job_status["EdgePackagingJobStatus"] == "COMPLETED":
        break
    elif job_status["EdgePackagingJobStatus"] == "FAILED":
        print(job_status)
        raise RuntimeError("Edge Packaging failed")
    print("Packaging ...")
    time.sleep(30)
print("Done!")

{'ResponseMetadata': {'RequestId': '3ceb1bdd-a926-4151-931c-05db4b002827', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '3ceb1bdd-a926-4151-931c-05db4b002827', 'content-type': 'application/x-amz-json-1.1', 'content-length': '0', 'date': 'Wed, 17 Nov 2021 02:25:57 GMT'}, 'RetryAttempts': 0}}
Packaging ...
Done!


In [30]:
keras_model_data = job_status["ModelArtifact"]

### Create AWS IoT thing

SageMaker Edge Manager uses AWS IoT Core to authenticate the device in order to make calls to SageMaker Edge Manager endpoints in AWS Cloud. 

In order for an edge device to use AWS services, it is necessary for it to first authenticate. We recommend doing this via AWS IoT based authentication, for more details refer [here](https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html) and [here](https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/).

In [31]:
iot_client = boto3.client("iot", region_name=region)

In [32]:
iot_thing_name = "sagemaker-edge-thing-demo"
iot_thing_type = "SagemakerEdgeDemo"

In [33]:
iot_client.create_thing_type(thingTypeName=iot_thing_type)

{'ResponseMetadata': {'RequestId': '724efac1-9e88-4595-b6fe-238d546da840',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'date': 'Wed, 17 Nov 2021 02:26:28 GMT',
   'content-type': 'application/json',
   'content-length': '171',
   'connection': 'keep-alive',
   'x-amzn-requestid': '724efac1-9e88-4595-b6fe-238d546da840',
   'access-control-allow-origin': '*',
   'x-amz-apigw-id': 'I7U9KGiqiYcFm6Q=',
   'x-amzn-trace-id': 'Root=1-61946854-3cec6d7a6f21ec282a82af50'},
  'RetryAttempts': 0},
 'thingTypeName': 'SagemakerEdgeDemo',
 'thingTypeArn': 'arn:aws:iot:us-east-2:254903919824:thingtype/SagemakerEdgeDemo',
 'thingTypeId': 'c3c46ae3-e1ca-4fc8-b33a-6ee00a146f84'}

In [34]:
iot_client.create_thing(thingName=iot_thing_name, thingTypeName=iot_thing_type)

{'ResponseMetadata': {'RequestId': 'dfba30c3-75b6-4d55-8c42-ff25f07250f9',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'date': 'Wed, 17 Nov 2021 02:26:28 GMT',
   'content-type': 'application/json',
   'content-length': '171',
   'connection': 'keep-alive',
   'x-amzn-requestid': 'dfba30c3-75b6-4d55-8c42-ff25f07250f9',
   'access-control-allow-origin': '*',
   'x-amz-apigw-id': 'I7U9LHehCYcFlxw=',
   'x-amzn-trace-id': 'Root=1-61946854-6b6a5b4358c59c591e6bf9e8'},
  'RetryAttempts': 0},
 'thingName': 'sagemaker-edge-thing-demo',
 'thingArn': 'arn:aws:iot:us-east-2:254903919824:thing/sagemaker-edge-thing-demo',
 'thingId': '007806d5-6783-45b6-bd95-be6310bd8865'}

### Create Device Fleet

#### Create IAM role for device fleet

Configure an IAM role in your AWS account that will be assumed by the credentials' provider on behalf of the devices in your device fleet. 

**Notice**: The name of the role must start with `SageMaker`.

Go to [IAM console](https://console.aws.amazon.com/iam), create role for IoT, attach the following policies:

- AmazonSageMakerEdgeDeviceFleetPolicy

Add the statement to trust relationship:
```
{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect": "Allow",
        "Principal": {"Service": "credentials.iot.amazonaws.com"},
        "Action": "sts:AssumeRole"
      },
      {
        "Effect": "Allow",
        "Principal": {"Service": "sagemaker.amazonaws.com"},
        "Action": "sts:AssumeRole"
      }
  ]
}
```

Note down the role ARN, it will be later used for creating the device fleet.

In [35]:
Output_of_create = !aws iam create-role --role-name $Device_role_name --assume-role-policy-document file://device-role-trust-policy.json


In [36]:
#print(Output_of_create)

In [37]:
the_raw_name  = Output_of_create[5]
#print(the_raw_name)
drop_last_comma = the_raw_name[:-2]
#print(drop_last_comma)
arn_value_of_device = drop_last_comma[16:]
#print(arn_value_of_device)
Name_to_str = ''.join(arn_value_of_device)
device_fleet_role_arn = ''.join(arn_value_of_device)
#print(Name_to_str)

In [38]:
print(Name_to_str)

arn:aws:iam::254903919824:role/SageMaker_smex_device_role_9


In [39]:
!aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSageMakerEdgeDeviceFleetPolicy --role-name $Device_role_name

In [40]:
time.sleep(20)

In [41]:
device_fleet_name = "demo-device-fleet" + str(time.time()).split(".")[0]

# This is the role you created following the instructions in the above cell
#device_fleet_role_arn = Name_to_str

sagemaker_client.create_device_fleet(
    DeviceFleetName=device_fleet_name,
    RoleArn=device_fleet_role_arn,
    OutputConfig={"S3OutputLocation": s3_compilation_output_location},
)

{'ResponseMetadata': {'RequestId': '08813c19-8b1a-49dd-881e-e1506f3b7ecc',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '08813c19-8b1a-49dd-881e-e1506f3b7ecc',
   'content-type': 'application/x-amz-json-1.1',
   'content-length': '0',
   'date': 'Wed, 17 Nov 2021 02:26:49 GMT'},
  'RetryAttempts': 0}}

#### Register device to the fleet

In [42]:
device_name = (
    "sagemaker-edge-demo-device" + str(time.time()).split(".")[0]
)  # device name should be 36 charactors

sagemaker_client.register_devices(
    DeviceFleetName=device_fleet_name,
    Devices=[
        {
            "DeviceName": device_name,
            "IotThingName": iot_thing_name,
            "Description": "this is a sample virtual device",
        }
    ],
)

{'ResponseMetadata': {'RequestId': '3135204a-ba86-4002-8bf0-2646d4c59f39',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '3135204a-ba86-4002-8bf0-2646d4c59f39',
   'content-type': 'application/x-amz-json-1.1',
   'content-length': '0',
   'date': 'Wed, 17 Nov 2021 02:26:49 GMT'},
  'RetryAttempts': 0}}

### Create and register client certificate with AWS IoT

Create private key, public key, and X.509 certificate files to register and activate the certificate with AWS IoT. 

In [43]:
iot_cert = iot_client.create_keys_and_certificate(setAsActive=True)

Save the files and upload to S3 bucket, these files will be used to provide credentials on device to communicate with AWS services.

In [44]:
with open("./iot.pem.crt", "w") as f:
    for line in iot_cert["certificatePem"].split("\n"):
        f.write(line)
        f.write("\n")

In [45]:
with open("./iot_key.pem.key", "w") as f:
    for line in iot_cert["keyPair"]["PrivateKey"].split("\n"):
        f.write(line)
        f.write("\n")

In [46]:
with open("./iot_key_pair.pem.key", "w") as f:
    for line in iot_cert["keyPair"]["PublicKey"].split("\n"):
        f.write(line)
        f.write("\n")

Associate the role alias generated from `create_device_fleet()` with AWS IoT.

In [47]:
role_alias_name = "SageMakerEdge-" + device_fleet_name

role_alias = iot_client.describe_role_alias(roleAlias=role_alias_name)

We created and registered a certificate with AWS IoT earlier for successful authentication of your device. Now, we need to create and attach a policy to the certificate to authorize the request for the security token.

In [48]:
alias_policy = {
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "iot:AssumeRoleWithCertificate",
        "Resource": role_alias["roleAliasDescription"]["roleAliasArn"],
    },
}

In [49]:
policy_name = "aliaspolicy-" + str(time.time()).split(".")[0]
aliaspolicy = iot_client.create_policy(
    policyName=policy_name,
    policyDocument=json.dumps(alias_policy),
)

In [50]:
iot_client.attach_policy(policyName=policy_name, target=iot_cert["certificateArn"])

{'ResponseMetadata': {'RequestId': '105cd25b-2819-42da-b9bd-27060b7745df',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'date': 'Wed, 17 Nov 2021 02:26:50 GMT',
   'content-type': 'application/json',
   'content-length': '0',
   'connection': 'keep-alive',
   'x-amzn-requestid': '105cd25b-2819-42da-b9bd-27060b7745df',
   'access-control-allow-origin': '*',
   'x-amz-apigw-id': 'I7VAtGbNCYcF6Gg=',
   'x-amzn-trace-id': 'Root=1-6194686a-4dcb399b337a4519516e6e48'},
  'RetryAttempts': 0}}

In [51]:
# Copyright 2021 Amazon.com.
# SPDX-License-Identifier: MIT



In [52]:
iot_endpoint = iot_client.describe_endpoint(endpointType="iot:CredentialProvider")

In [53]:
endpoint = "https://{}/role-aliases/{}/credentials".format(
    iot_endpoint["endpointAddress"], role_alias_name
)

Get official Amazon Root CA file and upload to S3 bucket. 

In [54]:
!wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

--2021-11-17 02:26:50--  https://www.amazontrust.com/repository/AmazonRootCA1.pem
Resolving www.amazontrust.com (www.amazontrust.com)... 99.86.61.68, 99.86.61.97, 99.86.61.114, ...
Connecting to www.amazontrust.com (www.amazontrust.com)|99.86.61.68|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1188 (1.2K) [text/plain]
Saving to: ‘AmazonRootCA1.pem.6’


2021-11-17 02:26:51 (145 MB/s) - ‘AmazonRootCA1.pem.6’ saved [1188/1188]



Use the endpoint to make an HTTPS request to the credentials' provider to return a security token. The following example command uses curl, but you can use any HTTP client.

**Optional: verify the credentials.**


In [55]:
!curl --cert iot.pem.crt --key iot_key.pem.key --cacert AmazonRootCA1.pem $endpoint

{"credentials":{"accessKeyId":"ASIATWWLVETIMYQYURIC","secretAccessKey":"Vk/DyOdKoX497W+YhTKzAWdaEAFFObBEYbPCn34a","sessionToken":"IQoJb3JpZ2luX2VjEOL//////////wEaCXVzLWVhc3QtMiJHMEUCIQCiO6TQYpaN6VYeLnklPAVCv3emQQYJGfK83tnNnCiQTQIgXqQiSSfqwMOHbE8YGt/Kx+355aZsQr0CaPD3RkB6b04q8gMInP//////////ARAAGgwyNTQ5MDM5MTk4MjQiDMXXJwK5qx+00I7TeSrGA5TbLKj7njlE2y6VduS/EeAzLIBPrmM5Agd1zopinFWe3Da472Fw4seqpiGyVDZc8RurbwYhhmEIShGCpueQBdeDk5Cjej0BKR9Q1yOfKSa2okjeT1bLjgy6nxXcn4uggeyIm3/AZk6Qlw9+J6KytWxYTAgoPrgkQ7bCvuU1Qq1NveQLgAOQeMMR9kqpnimJceMaVFhDmjaht8A4gsU/aXG7uzMIhUJotQpmrQva4YpiN7qmh9mq1YUzBtAcTx8/P7pfQXPuzXDWwiz3k8GvSslom3P1UvvBY5qLd65rjpnQ/aAmTildPVRRDhN1ShF5Pxw3q2N4jfTBPeEShlyi2wQK3InFl0oJ1ESq9n6rt2Z9GixRxSeB79A6348SL2m46aMN6Xs5B2Did/VXHZ0tbLCe09ruDh0sqwp2tiu26Q655PJ2WwcqVvYNn3F6CxI1cLskNPJko+UPviN267KeT7KvcWk4skgPJWz2xi4VYIH3lszdcTF/0dofEC8YjILcrHmauNpKUNrh06v8JvhlZ4RgZ0egbF423YlZ3E5fl/xdkbZ/dwtpUguwmra0T5WYdK0iD7R7W4Kdv5tBjoyj9ZtVEq1kgbww69DRjAY6wgFcHgfTBAP0TQIj+aXZIi8Mb9c+oGcqYn7wOwDnVZjvgRU6sm

If the certificate can be verified with the endpoint without error, upload certificate files to S3 bucket.

These files will be used in the [Setup SageMaker Edge Manager Agent](#Setup-Sagemaker-Edge-Manager-Agent) section on EC2/device as Credential Provider.

In [56]:
root_ca_path = sess.upload_data("AmazonRootCA1.pem", bucket, iot_folder)
device_cert_path = sess.upload_data("iot.pem.crt", bucket, iot_folder)
device_key_path = sess.upload_data("iot_key.pem.key", bucket, iot_folder)

## Inference on the Edge

In our example, we will use [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) to remotely perform actions on the EC2 instance. To see the SSM logs from CloudWatch, refer to [Install CloudWatch Agent section](#(Optional)Install-CloudWatch-Agent). 

Execution status of send_command is available in [AWS Systems Manager console](https://console.aws.amazon.com/systems-manager/run-command/complete-commands) command history.

In [57]:
ssm_client = boto3.client("ssm", region_name=region)

### Setup SageMaker Edge Agent

Download SageMaker Edge Agent binary examples to EC2 instance.

Please fetch the latest version of binaries from SageMaker Edge release bucket. For more information about [Inference engine (Edge Manager agent)](https://docs.aws.amazon.com/sagemaker/latest/dg/edge-device-fleet-about.html).

In [58]:
release_bucket_map = {
    "armv8": "sagemaker-edge-release-store-us-west-2-linux-armv8",
    "linux": "sagemaker-edge-release-store-us-west-2-linux-x64",
    "win64": "sagemaker-edge-release-store-us-west-2-windows-x64",
    "win32": "sagemaker-edge-release-store-us-west-2-windows-x86",
}

In [59]:
# In this example, we will run inference on Linux
release_bucket = release_bucket_map["linux"]

To download the artifacts, specify the `VERSION`. The `VERSION` is broken into three components: `<MAJOR_VERSION>.<YYYY-MM-DD>-<SHA-7>`, where:

- MAJOR_VERSION: The release version. The release version is currently set to 1.

- `<YYYY-MM-DD>`: Time stamp of the artifacts release.

- SHA-7: repository commit ID the release is built from.

We suggest you use the latest artifact release time stamp. Use the following to get the latest time stamp.

In [60]:
pick_version = !aws s3 ls s3://$release_bucket/Releases/ | sort -r

In [61]:
#print(pick_version[1])
version = ''.join(pick_version[0][31:-1])
print(version)

1.20210820.e20fa3a


In [62]:
# A version string from the above cell
#version = "1.20210820.e20fa3a"

In [63]:
response = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "#!/bin/bash",
            "mkdir /demo",
            "aws s3 cp s3://{}/Releases/{}/{}.tgz demo.tgz".format(
                release_bucket, version, version
            ),
            "tar -xf demo.tgz -C /demo",
            "cd /demo/bin",
            "chmod +x sagemaker_edge_agent_binary",
            "chmod +x sagemaker_edge_agent_client_example",
        ]
    },
)

In [64]:
time.sleep(20)

In [65]:
ssm_client.get_command_invocation(
    CommandId=response["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': 'cf87860e-da84-4c86-8614-5563edab2627',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:26:53.745Z',
 'ExecutionElapsedTime': 'PT7.456S',
 'ExecutionEndDateTime': '2021-11-17T02:27:00.745Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Completed 256.0 KiB/11.6 MiB (294.9 KiB/s) with 1 file(s) remaining\rCompleted 512.0 KiB/11.6 MiB (551.4 KiB/s) with 1 file(s) remaining\rCompleted 768.0 KiB/11.6 MiB (785.3 KiB/s) with 1 file(s) remaining\rCompleted 1.0 MiB/11.6 MiB (1.0 MiB/s) with 1 file(s) remaining    \rCompleted 1.2 MiB/11.6 MiB (1.3 MiB/s) with 1 file(s) remaining    \rCompleted 1.5 MiB/11.6 MiB (1.4 MiB/s) with 1 file(s) remaining    \rCompleted 1.8 MiB/11.6 MiB (1.7 MiB/s) with 1 file(s) remaining    \rCompleted 2.0 MiB/11.6 MiB (1.9 MiB/s) with 1 file(s) rema

Get model signing root certificates from the release bucket.

In [66]:
response = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "#!/bin/bash",
            "cd /demo",
            "mkdir certificates",
            "aws s3 cp s3://{}/Certificates/{}/{}.pem certificates".format(
                release_bucket, region, region
            ),
            "chmod 400 certificates/*",
        ]
    },
)

In [67]:
time.sleep(20)

In [68]:
ssm_client.get_command_invocation(
    CommandId=response["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': '8dbbd5b6-f624-4793-b2f4-aad772966c90',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:27:13.520Z',
 'ExecutionElapsedTime': 'PT2.116S',
 'ExecutionEndDateTime': '2021-11-17T02:27:15.520Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Completed 1.3 KiB/1.3 KiB (2.5 KiB/s) with 1 file(s) remaining\rdownload: s3://sagemaker-edge-release-store-us-west-2-linux-x64/Certificates/us-east-2/us-east-2.pem to certificates/us-east-2.pem\n',
 'StandardOutputUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/8dbbd5b6-f624-4793-b2f4-aad772966c90/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stdout',
 'StandardErrorContent': '',
 'StandardErrorUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sag

Download IoT certificates, private key, models, and test images to the EC2 instance.

In [69]:
response = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "#!/bin/bash",
            "cd /demo",
            "mkdir iot-credentials",
            "cd iot-credentials",
            "aws s3 cp " + root_ca_path + " .",
            "aws s3 cp " + device_cert_path + " .",
            "aws s3 cp " + device_key_path + " .",
            "cd /demo",
            "aws s3 cp " + keras_img_path + " .",
            "aws s3 cp " + keras_model_data + " .",
            "mkdir keras_model",
            "tar -xf " + keras_model_package + " -C keras_model",
        ]
    },
)

In [70]:
time.sleep(20)

In [71]:
ssm_client.get_command_invocation(
    CommandId=response["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': '379a9611-e665-4f9b-9246-12fc82939686',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:27:33.683Z',
 'ExecutionElapsedTime': 'PT4.068S',
 'ExecutionEndDateTime': '2021-11-17T02:27:37.683Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Completed 1.2 KiB/1.2 KiB (17.8 KiB/s) with 1 file(s) remaining\rdownload: s3://sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/iot/AmazonRootCA1.pem to ./AmazonRootCA1.pem\nCompleted 1.2 KiB/1.2 KiB (20.2 KiB/s) with 1 file(s) remaining\rdownload: s3://sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/iot/iot.pem.crt to ./iot.pem.crt\nCompleted 1.6 KiB/1.6 KiB (27.5 KiB/s) with 1 file(s) remaining\rdownload: s3://sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/iot/iot_key.pem.key to ./iot_key.pem.key\nCompleted 147.1 KiB/

#### Configure SageMaker Edge Agent

Generate SageMaker Edge Agent configuration file. [For more information see the documentation](https://docs.aws.amazon.com/sagemaker/latest/dg/edge-device-fleet-about.html#edge-device-fleet-running-agent).

In [72]:
sagemaker_edge_config = {
    "sagemaker_edge_core_device_name": device_name,
    "sagemaker_edge_core_device_fleet_name": device_fleet_name,
    "sagemaker_edge_core_capture_data_buffer_size": 30,
    "sagemaker_edge_core_capture_data_batch_size": 10,
    "sagemaker_edge_core_capture_data_push_period_seconds": 4,
    "sagemaker_edge_core_folder_prefix": "demo_capture",
    "sagemaker_edge_core_region": region,
    "sagemaker_edge_core_root_certs_path": "/demo/certificates",
    "sagemaker_edge_provider_aws_ca_cert_file": "/demo/iot-credentials/AmazonRootCA1.pem",
    "sagemaker_edge_provider_aws_cert_file": "/demo/iot-credentials/iot.pem.crt",
    "sagemaker_edge_provider_aws_cert_pk_file": "/demo/iot-credentials/iot_key.pem.key",
    "sagemaker_edge_provider_aws_iot_cred_endpoint": endpoint,
    "sagemaker_edge_provider_provider": "Aws",
    "sagemaker_edge_provider_provider_path": "/demo/lib/libprovider_aws.so",
    "sagemaker_edge_provider_s3_bucket_name": bucket,
    "sagemaker_edge_core_capture_data_destination": "Cloud",
}

In [73]:
edge_config_file = open("sagemaker_edge_config.json", "w")
json.dump(sagemaker_edge_config, edge_config_file, indent=6)
edge_config_file.close()

Upload SageMaker Edge Agent configuration to an S3 bucket.

In [74]:
config_path = sess.upload_data("sagemaker_edge_config.json", bucket, iot_folder)

Download the config file to the EC2 instance.

In [75]:
response = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={"commands": ["#!/bin/bash", "aws s3 cp " + config_path + " /demo"]},
)

In [76]:
time.sleep(20)

In [77]:
ssm_client.get_command_invocation(
    CommandId=response["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': 'f058cb27-c541-4abd-bf94-437a3cd32846',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:27:54.045Z',
 'ExecutionElapsedTime': 'PT0.857S',
 'ExecutionEndDateTime': '2021-11-17T02:27:54.045Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Completed 1.2 KiB/1.2 KiB (19.3 KiB/s) with 1 file(s) remaining\rdownload: s3://sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/iot/sagemaker_edge_config.json to ../../../../demo/sagemaker_edge_config.json\n',
 'StandardOutputUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/f058cb27-c541-4abd-bf94-437a3cd32846/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stdout',
 'StandardErrorContent': '',
 'StandardErrorUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-25490

#### Launch SageMaker Edge Agent

Initialize the SageMaker Edge Manager agent. Note that we are using a long timeout on this command. In production, we recommend running the agent as a daemon, using a service like systemd.

In [78]:
agent_out = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    TimeoutSeconds=24 * 60 * 60,
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "cd /demo",
            "rm -f /tmp/sagemaker_edge_agent_example.sock",
            "./bin/sagemaker_edge_agent_binary -a /tmp/sagemaker_edge_agent_example.sock -c sagemaker_edge_config.json",
        ]
    },
)

In [None]:
time.sleep(20)

### Load Model

In this section, we show the model management capabilities offered by SageMaker Edge Manager. We will load the two compiled and packaged models using the Agent. This keeps both models ready to run inference with. As you will see, once the models are loaded you can run multiple inferences as many times as necessary until the models are unloaded. This reliefs the client applications from the logic and operational burden of managing them separately. These models are now simply an API away from running inference with.

When loading the model with the SageMaker Edge Agent, the argument to the API points the Agent to a directory containing the packaged model (without any extraneous files within the directory). 

#### Load Keras model

`keras_model` is the path containing the packaged model in this notebook. `demo-keras` is the name given to this model. This name will be used later to refer to this model for, making predictions, capturing data, unload.

In [93]:
load_keras_model_out = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "cd /demo",
            "./bin/sagemaker_edge_agent_client_example LoadModel keras_model demo-keras",
        ]
    },
)

In [94]:
time.sleep(20)

In [95]:
ssm_client.get_command_invocation(
    CommandId=load_keras_model_out["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': 'c4202c23-1c57-4114-8124-7d2407a8de36',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:33:53.030Z',
 'ExecutionElapsedTime': 'PT0.654S',
 'ExecutionEndDateTime': '2021-11-17T02:33:53.030Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Model demo-keras located at /demo/keras_model loaded\nLoadModel succeeded\n',
 'StandardOutputUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/c4202c23-1c57-4114-8124-7d2407a8de36/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stdout',
 'StandardErrorContent': '',
 'StandardErrorUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/c4202c23-1c57-4114-8124-7d2407a8de36/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stderr',
 'Clo

### List Models

This API simply lists all the models and their names that are loaded by the Agent. Note that the names shown here are same as the ones provided during the LoadModel in the previous sections.

In [96]:
list_model_out = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={"commands": ["cd /demo", "./bin/sagemaker_edge_agent_client_example ListModels"]},
)

In [97]:
time.sleep(20)

In [98]:
ssm_client.get_command_invocation(
    CommandId=list_model_out["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': '7168c4c5-10db-4b5e-8e72-cb2523e6ab93',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:34:54.853Z',
 'ExecutionElapsedTime': 'PT0.161S',
 'ExecutionEndDateTime': '2021-11-17T02:34:54.853Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'There are 1 models\nModel 0  demo-keras\nListModels succeeded\n',
 'StandardOutputUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/7168c4c5-10db-4b5e-8e72-cb2523e6ab93/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stdout',
 'StandardErrorContent': '',
 'StandardErrorUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/7168c4c5-10db-4b5e-8e72-cb2523e6ab93/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stderr',
 'CloudWatchOutpu

### Run Predict

In this API, we pass the model name, input data file that will be directly fed into the neural network, input tensor name that was passed earlier during the compilation phase, along with its size and shape.

#### Run prediction on Keras model

In [99]:
keras_predict_out = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "cd /demo",
            "./bin/sagemaker_edge_agent_client_example Predict demo-keras keras.bmp input_1 224 224 3",
        ]
    },
)

In [100]:
time.sleep(20)

In [101]:
ssm_client.get_command_invocation(
    CommandId=keras_predict_out["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': '8479b9ef-66a6-4cd4-b0b4-2a24ea7a24c8',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:35:23.661Z',
 'ExecutionElapsedTime': 'PT0.319S',
 'ExecutionEndDateTime': '2021-11-17T02:35:23.661Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Done reading the image\nPredict succeeded\nFlattened RAW Output Tensor:1\n9.15058e-05 0.000100904 5.23973e-05 7.08949e-05 0.000303289 6.65646e-06 5.73232e-05 0.000241127 7.62333e-05 7.42454e-05 0.000110309 4.28149e-05 7.65651e-05 0.000134373 0.000126301 0.000141554 0.000173317 3.45941e-05 6.91598e-05 3.83556e-05 0.000239026 4.75911e-05 7.32567e-05 0.000167223 8.44283e-05 8.9107e-05 0.000395354 0.000366951 0.000141887 1.91341e-05 0.000868919 0.000156764 5.34359e-05 3.37808e-05 6.51875e-05 0.00017874 0.000960836 0.000114277 0.000148988 0

### Capture Data

Capture the inputs and outputs of an inference call to cloud or disk. The specific parameters were configured earlier in the config file. 

In [88]:
keras_capture_out = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "cd /demo",
            "./bin/sagemaker_edge_agent_client_example PredictAndCapture demo-keras keras.bmp input_1 224 224 3",
        ]
    },
)

In [89]:
time.sleep(20)

In [90]:
ssm_client.get_command_invocation(
    CommandId=keras_capture_out["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': 'fa2bf79a-4437-44a1-ab5c-1679ac66c876',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:29:14.984Z',
 'ExecutionElapsedTime': 'PT0.124S',
 'ExecutionEndDateTime': '2021-11-17T02:29:14.984Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Model demo-keras has not been loaded\n',
 'StandardOutputUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/fa2bf79a-4437-44a1-ab5c-1679ac66c876/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stdout',
 'StandardErrorContent': '',
 'StandardErrorUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/fa2bf79a-4437-44a1-ab5c-1679ac66c876/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stderr',
 'CloudWatchOutputConfig': {'CloudWatchLog

### Unload Model

After unloading a model, the same name can be reused for future `LoadModel` APIs calls.

In [102]:
unload_model_out = ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "cd /demo",
            "./bin/sagemaker_edge_agent_client_example UnloadModel demo-keras",
        ]
    },
)

In [103]:
ssm_client.get_command_invocation(
    CommandId=unload_model_out["Command"]["CommandId"],
    InstanceId=instance_id,
)

{'CommandId': 'b5f91409-7161-483a-8148-af384818f153',
 'InstanceId': 'i-03880ae1c0078460b',
 'Comment': '',
 'DocumentName': 'AWS-RunShellScript',
 'DocumentVersion': '$DEFAULT',
 'PluginName': 'aws:runShellScript',
 'ResponseCode': 0,
 'ExecutionStartDateTime': '2021-11-17T02:49:54.870Z',
 'ExecutionElapsedTime': 'PT0.152S',
 'ExecutionEndDateTime': '2021-11-17T02:49:54.870Z',
 'Status': 'Success',
 'StatusDetails': 'Success',
 'StandardOutputContent': 'Model demo-keras has been unloaded\nUnLoadModel succeeded\n',
 'StandardOutputUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/b5f91409-7161-483a-8148-af384818f153/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stdout',
 'StandardErrorContent': '',
 'StandardErrorUrl': 'https://s3.us-east-2.amazonaws.com/sagemaker-us-east-2-254903919824/DEMO-Sagemaker-Edge/b5f91409-7161-483a-8148-af384818f153/i-03880ae1c0078460b/awsrunShellScript/0.awsrunShellScript/stderr',
 'CloudWatchOutputCon

## Clean Up

Stop the Agent

In [104]:
ssm_client.cancel_command(CommandId=agent_out["Command"]["CommandId"], InstanceIds=[instance_id])

{'ResponseMetadata': {'RequestId': 'b1457873-7493-407d-aa12-ce3dea7421d6',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'server': 'Server',
   'date': 'Wed, 17 Nov 2021 02:50:20 GMT',
   'content-type': 'application/x-amz-json-1.1',
   'content-length': '2',
   'connection': 'keep-alive',
   'x-amzn-requestid': 'b1457873-7493-407d-aa12-ce3dea7421d6'},
  'RetryAttempts': 0}}

Stop the EC2 instance

In [105]:
ec2_client.stop_instances(InstanceIds=[instance_id])

{'StoppingInstances': [{'CurrentState': {'Code': 64, 'Name': 'stopping'},
   'InstanceId': 'i-03880ae1c0078460b',
   'PreviousState': {'Code': 16, 'Name': 'running'}}],
 'ResponseMetadata': {'RequestId': '16363ce1-c07b-4979-9d8b-f92114a0a949',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '16363ce1-c07b-4979-9d8b-f92114a0a949',
   'cache-control': 'no-cache, no-store',
   'strict-transport-security': 'max-age=31536000; includeSubDomains',
   'content-type': 'text/xml;charset=UTF-8',
   'content-length': '579',
   'date': 'Wed, 17 Nov 2021 02:50:21 GMT',
   'server': 'AmazonEC2'},
  'RetryAttempts': 0}}

Detach and delete policy

In [106]:
iot_client.detach_policy(policyName=policy_name, target=iot_cert["certificateArn"])

iot_client.delete_policy(policyName=policy_name)

{'ResponseMetadata': {'RequestId': 'c515f45a-567f-43a9-9e43-38ce319f21e0',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'date': 'Wed, 17 Nov 2021 02:50:25 GMT',
   'content-type': 'application/json',
   'content-length': '0',
   'connection': 'keep-alive',
   'x-amzn-requestid': 'c515f45a-567f-43a9-9e43-38ce319f21e0',
   'access-control-allow-origin': '*',
   'x-amz-apigw-id': 'I7YdyGfYCYcF7DQ=',
   'x-amzn-trace-id': 'Root=1-61946df1-3e505ae22c5078c867e85727'},
  'RetryAttempts': 0}}

Deregister device and delete device fleet

In [107]:
sagemaker_client.deregister_devices(DeviceFleetName=device_fleet_name, DeviceNames=[device_name])

sagemaker_client.delete_device_fleet(DeviceFleetName=device_fleet_name)

{'ResponseMetadata': {'RequestId': '93669370-5f39-4ee0-9573-b1636cb1e856',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '93669370-5f39-4ee0-9573-b1636cb1e856',
   'content-type': 'application/x-amz-json-1.1',
   'content-length': '0',
   'date': 'Wed, 17 Nov 2021 02:50:28 GMT'},
  'RetryAttempts': 0}}

## Appendix

### (Optional)Install CloudWatch Agent 

In [None]:
CW_log_config = {
    "agent": {
        "metrics_collection_interval": 10,
        "logfile": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
    },
    "logs": {
        "logs_collected": {
            "files": {
                "collect_list": [
                    {
                        "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
                        "log_group_name": "amazon-cloudwatch-agent.log",
                        "log_stream_name": "amazon-cloudwatch-agent.log",
                        "timezone": "UTC",
                    },
                    {
                        "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/test.log",
                        "log_group_name": "test.log",
                        "log_stream_name": "test.log",
                        "timezone": "Local",
                    },
                ]
            }
        },
        "log_stream_name": "my_log_stream_name",
        "force_flush_interval": 15,
    },
}

In [None]:
CW_file = open("cloudwatch.json", "w")
json.dump(CW_log_config, CW_file, indent=6)
CW_file.close()

In [None]:
CW_config_path = sess.upload_data("cloudwatch.json", bucket, iot_folder)

In [None]:
ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "#!/bin/bash",
            "aws s3 cp "
            + CW_config_path
            + " /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json",
        ]
    },
)

In [None]:
ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Parameters={
        "commands": [
            "#!/bin/bash",
            "wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb",
            "sudo dpkg -i -E ./amazon-cloudwatch-agent.deb",
        ]
    },
)

Install Cloud Watch Agent to SSM agent.

In [None]:
ssm_client.send_command(
    DocumentName="AWS-ConfigureAWSPackage",
    DocumentVersion="1",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    Targets=[
        {"Key": "InstanceIds", "Values": [instance_id]},
    ],
    TimeoutSeconds=600,
    Parameters={"action": ["Install"], "name": ["AmazonCloudWatchAgent"]},
    MaxConcurrency="50",
    MaxErrors="0",
)

To debug with CloudWatch, add a parameter `CloudWatchOutputConfig` to `send_command`
```
CloudWatchOutputConfig={
    'CloudWatchOutputEnabled': True
}
```

Example:
```
ssm_client.send_command(
    InstanceIds=[instance_id],
    DocumentName="AWS-RunShellScript",
    OutputS3BucketName=bucket,
    OutputS3KeyPrefix=folder,
    CloudWatchOutputConfig={
        'CloudWatchOutputEnabled': True
    },
    Parameters={
        'commands':[
            "cd /demo",
            "./bin/neo_agent_binary -a /tmp/sagemaker_edge_agent_example.sock -c neo_config.json" 
        ]
    }
)
```

Running log can be found in cloud watch log group `/aws/ssm/AWS-RunShellScript`