Setting up Greengrass core device fails

I am following

https://docs.aws.amazon.com/greengrass/v2/developerguide/quick-installation.html?icmpid=docs_gg_console#provide-installer-aws-credentials

with "Use long-term credentials from an IAM user:", and am getting this error:

[ggc_user@localhost Downloads]$ sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar --aws-region us-east-1 --thing-name aws-greengrass-core --thing-group-name GreengrassQuickStartGroup --component-default-user ggc_user:ggc_group --provision true --setup-system-service true --deploy-dev-tools true
[sudo] password for ggc_user:
Provisioning AWS IoT resources for the device with IoT Thing Name: [aws-greengrass-core]...
Creating new IoT policy "GreengrassV2IoTThingPolicy"
Creating keys and certificate...
Attaching policy to certificate...
Creating IoT Thing "aws-greengrass-core"...
Attaching certificate to IoT thing...
Successfully provisioned AWS IoT resources for the device with IoT Thing Name: [aws-greengrass-core]!
Adding IoT Thing [aws-greengrass-core] into Thing Group: [GreengrassQuickStartGroup]...
Successfully added Thing into Thing Group: [GreengrassQuickStartGroup]
Setting up resources for aws.greengrass.TokenExchangeService ...
TES role alias "GreengrassV2TokenExchangeRoleAlias" does not exist, creating new alias...
Error while trying to setup Greengrass Nucleus
software.amazon.awssdk.services.iam.model.IamException: User: arn:aws:iam::409128494776:user/AWS_tutorial_user is not authorized to perform: iam:GetRole on resource: role GreengrassV2TokenExchangeRole because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: c80df0ec-c733-4b37-ad0f-5142849d1f69)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)
... skipped MANY more lines of stack trace
        Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 4 failure: User: arn:aws:iam::409128494776:user/AWS_tutorial_user is not authorized to perform: iam:GetRole on resource: role GreengrassV2TokenExchangeRole because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 996260cd-16ca-4750-9acb-71df76658acc)
        Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 5 failure: User: arn:aws:iam::409128494776:user/AWS_tutorial_user is not authorized to perform: iam:GetRole on resource: role GreengrassV2TokenExchangeRole because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 21d68b6d-3b79-42ae-ae1c-7a785db21c6c)

What do I need to do?