Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Permission issue with boto3 on greengrass v2 device

0

Hi there,

I am have this error

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied. {scriptName=services.media_camera.lifecycle.Run, serviceName=media_camera, currentState=RUNNING}

here is my toke-exchange-role

RealiteGGTokenAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "realite-greengrassv2-token-exchange-access-policy"
      Description: "Allow gg device core to use AWS backend services"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - iot:DescribeCertificate
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
              - s3:GetBucketLocation
              - s3:PutObject
              - s3:GetObject
              - s3:ListBucket
              - s3:ListObjects
              - kinesis:PutRecords

            Resource: "*"

          - Effect: Allow
            Action:
              - secretsmanager:GetSecretValue
            Resource:
              - Fn::ImportValue: !Sub ${EnvironmentTag}:RealiteSecretsCameraCredentialsSecret
      Roles:
        - !Ref RealiteGGTokenAccessRole

I wonder where can that permission come from

Thanks for your help

Argomenti
Internet delle cose (IoT)
Tag
AWS IoT Greengrass
Lingua
English
AWS-User-6797102
posta 2 anni fa436 visualizzazioni
4 Risposte
2

Hi there Has this policy attached to your toke-exchange-role? If not, attach it and retry. If it attached, maybe try attach AmazonS3FullAccess policy to your role for test purpose to see if it successfully list objects from S3 with the policy attached. If yes, it's a good start to further investigate what's wrong with your policy. If not, you probably need to check issues like if your device is using the correct alias pointing to the correct role, etc.

Lihao
con risposta 2 anni fa
0

Hi Lihao,

I have double checked and look like everything is correctly configure, the thing cert is attach to an iot policy which assume the role of the token-exchange via an iot alias. i also added s3:* to the policy and the role.

also the device can provision itself, and it can send data to aws iot

here is the thing policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect",
        "greengrass:*",
        "s3:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:AssumeRoleWithCertificate",
      "Resource": [
        "arn:aws:iot:::rolealias/greengrass-core-token-exchange-role-alias"
      ]
    }
  ]
}
AWS-User-6797102
con risposta 2 anni fa
0

Hi,

Thank you for sharing more details. Your IoT Thing policy looks correct. Can you confirm that

  1. the toke exchange role policy is correctly formatted
  2. the IoT role alias is attached to the correct IAM role with the correct role ARN
  3. the IAM token exchange role has the right trust policy to assume role (example policy from docs listed below)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "credentials.iot.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Thanks,
Navya.

AWS
NavyaKuchibhotla-AWS
con risposta 2 anni fa
0

Hi Navya, thanks for you response.

I found the problem, it was just a silly mistake. i referenced the wrong env variable so it used the wrong bucket

AWS-User-6797102
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente