Permission issue with boto3 on greengrass v2 device

Question

Hi there,

I am have this error

```
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied. {scriptName=services.media_camera.lifecycle.Run, serviceName=media_camera, currentState=RUNNING}
```
here is my toke-exchange-role

```
RealiteGGTokenAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "realite-greengrassv2-token-exchange-access-policy"
      Description: "Allow gg device core to use AWS backend services"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - iot:DescribeCertificate
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
              - s3:GetBucketLocation
              - s3:PutObject
              - s3:GetObject
              - s3:ListBucket
              - s3:ListObjects
              - kinesis:PutRecords

Resource: "*"

- Effect: Allow
            Action:
              - secretsmanager:GetSecretValue
            Resource:
              - Fn::ImportValue: !Sub ${EnvironmentTag}:RealiteSecretsCameraCredentialsSecret
      Roles:
        - !Ref RealiteGGTokenAccessRole
```
I wonder where can that permission come from

Thanks for your help

Answer

Hi there
Has this policy attached to your toke-exchange-role?
If not, attach it and retry. If it attached, maybe try attach `AmazonS3FullAccess` policy to your role for test purpose to see if it successfully list objects from S3 with the policy attached.
If yes, it's a good start to further investigate what's wrong with your policy. If not, you probably need to check issues like if your device is using the correct alias pointing to the correct role, etc.

Answer

Hi,

Thank you for sharing more details. Your IoT Thing policy looks correct. Can you confirm that   
1. the toke exchange role policy is correctly formatted  
2. the IoT role alias is attached to the correct IAM role with the correct role ARN  
3. the IAM token exchange role has the right trust policy to assume role (example policy from docs listed below)

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "credentials.iot.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

Thanks,  
Navya.

Answer

Hi Lihao,

I have double checked and look like everything is correctly configure, the thing cert is attach to an iot policy which assume the role of the token-exchange via an iot alias. i also added s3:* to the policy and the role.

also the device can provision itself, and it can send data to aws iot

here is the thing policy:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect",
        "greengrass:*",
        "s3:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:AssumeRoleWithCertificate",
      "Resource": [
        "arn:aws:iot:::rolealias/greengrass-core-token-exchange-role-alias"
      ]
    }
  ]
}
```

Answer

Hi Navya, thanks for you response.

I found the problem, it was just a silly mistake. i referenced the wrong env variable so it used the wrong bucket

Permission issue with boto3 on greengrass v2 device

관련 콘텐츠