V2 shadow sample and usage guide

aws · bretambrose · Jun 27, 2025 · Apr 30, 2025 · May 2, 2025 · May 6, 2025
commit cd10937b5170f281586f7e15cfd5aafc2eae8a65
diff --git a/codebuild/samples/shadow-linux.sh b/codebuild/samples/shadow-linux.sh
@@ -10,7 +10,7 @@ pushd $CODEBUILD_SRC_DIR/samples/
 ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g')
 
 echo "Shadow test"
-python3 shadow.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem --thing_name CI_CodeBuild_Thing --is_ci true
-python3 shadow_mqtt5.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem --thing_name CI_CodeBuild_Thing --is_ci true
+python3 deprecated/shadow.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem --thing_name CI_CodeBuild_Thing --is_ci true
+python3 deprecated/shadow_mqtt5.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem --thing_name CI_CodeBuild_Thing --is_ci true
 
 popd
diff --git a/samples/README.md b/samples/README.md
@@ -9,7 +9,6 @@
 * [MQTT5 Shared Subscription](./mqtt5_shared_subscription.md)
 * [MQTT5 PKCS#11 Connect](./mqtt5_pkcs11_connect.md)
 * [MQTT5 Custom Authorizer Connect](./mqtt5_custom_authorizer_connect.md)
-* [MQTT5 Shadow](./shadow_mqtt5.md)
 * [MQTT5 Jobs](./jobs_mqtt5.md)
 * [MQTT5 Fleet Provisioning](./fleetprovisioning_mqtt5.md)
 ## MQTT311 Samples
@@ -22,10 +21,10 @@
 * [Custom Authorizer Connect](./custom_authorizer_connect.md)
 * [Cognito Connect](./cognito_connect.md)
 * [X509 Connect](./x509_connect.md)
-* [Shadow](./shadow.md)
 * [Jobs](./jobs.md)
 * [Fleet Provisioning](./fleetprovisioning.md)
 ## Other
+* [Shadow](./shadow.md)
 * [Greengrass Discovery](./basic_discovery.md)
 * [Greengrass IPC](./ipc_greengrass.md)
 

diff --git a/samples/deprecated/shadow.md b/samples/deprecated/shadow.md
@@ -0,0 +1,87 @@
+# Shadow
+
+[**Return to main sample list**](./README.md)
+
+This sample uses the AWS IoT [Device Shadow](https://docs.aws.amazon.com/iot/latest/developerguide/iot-device-shadows.html) Service to keep a property in sync between device and server. Imagine a light whose color may be changed through an app, or set by a local user.
+
+Once connected, type a value in the terminal and press Enter to update the property's "reported" value. The sample also responds when the "desired" value changes on the server. To observe this, edit the Shadow document in the AWS Console and set a new "desired" value.
+
+On startup, the sample requests the shadow document to learn the property's initial state. The sample also subscribes to "delta" events from the server, which are sent when a property's "desired" value differs from its "reported" value. When the sample learns of a new desired value, that value is changed on the device and an update is sent to the server with the new "reported" value.
+
+Your IoT Core Thing's [Policy](https://docs.aws.amazon.com/iot/latest/developerguide/iot-policies.html) must provide privileges for this sample to connect, subscribe, publish, and receive. Below is a sample policy that can be used on your IoT Core Thing that will allow this sample to run as intended.
+
+<details>
+<summary>Sample Policy</summary>
+<pre>
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Publish"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/get",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/update"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Receive"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/get/accepted",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/get/rejected",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/update/accepted",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/update/rejected",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/$aws/things/<b>thingname</b>/shadow/update/delta"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Subscribe"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topicfilter/$aws/things/<b>thingname</b>/shadow/get/accepted",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topicfilter/$aws/things/<b>thingname</b>/shadow/get/rejected",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topicfilter/$aws/things/<b>thingname</b>/shadow/update/accepted",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topicfilter/$aws/things/<b>thingname</b>/shadow/update/rejected",
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topicfilter/$aws/things/<b>thingname</b>/shadow/update/delta"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "iot:Connect",
+      "Resource": "arn:aws:iot:<b>region</b>:<b>account</b>:client/test-*"
+    }
+  ]
+}
+</pre>
+
+Replace with the following with the data from your AWS account:
+* `<region>`: The AWS IoT Core region where you created your AWS IoT Core thing you wish to use with this sample. For example `us-east-1`.
+* `<account>`: Your AWS IoT Core account ID. This is the set of numbers in the top right next to your AWS account name when using the AWS IoT Core website.
+* `<thingname>`: The name of your AWS IoT Core thing you want the device connection to be associated with
+
+Note that in a real application, you may want to avoid the use of wildcards in your ClientID or use them selectively. Please follow best practices when working with AWS on production applications using the SDK. Also, for the purposes of this sample, please make sure your policy allows a client ID of `test-*` to connect or use `--client_id <client ID here>` to send the client ID your policy supports.
+
+</details>
+
+## How to run
+
+To run the Shadow sample from the `samples` folder, use the following command:
+
+``` sh
+# For Windows: replace 'python3' with 'python' and '/' with '\'
+python3 shadow.py --endpoint <endpoint> --cert <file> --key <file> --thing_name <name>
+```
+
+You can also pass a Certificate Authority file (CA) if your certificate and key combination requires it:
+
+``` sh
+# For Windows: replace 'python3' with 'python' and '/' with '\'
+python3 shadow.py --endpoint <endpoint> --cert <file> --key <file> --thing_name <name> --ca_file <file>
+```