Running AWS CLI commands within a Greengrass component

0

I'm trying to run various AWS CLI commands within my Greengrass component. Even with a maximally permissive policy for my thing I'm running into various errors:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

For aws iot describe-endpoint --endpoint-type iot:CredentialProvider I get the following error from my component:

An error occurred (AccessDeniedException) when calling the DescribeEndpoint operation: User: arn:aws:sts::[REDACTED]:assumed-role/GreengrassV2TokenExchangeRole/[REDACTED] is not authorized to perform: iot:DescribeEndpoint because no identity-based policy allows the iot:DescribeEndpoint action.

For aws iot-data get-thing-shadow --thing-name my_thing --shadow-name my_shadow_name shadow.json I get the error:

An error occurred (ForbiddenException) when calling the GetThingShadow operation: None.

For aws s3 cp --recursive --no-progress "${s3_folder_path}" "${download_folder}":

fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.

However, aws sts get-caller-identity --query Arn --output text gives the expected correct GreengrassV2TokenExchangeRole role with a certificate containing the policy shown above.

Are these indicative of a particular issue? Is there a way to test if the policy is being applied as I would expect? Are calls with AWS CLI just not supported within Greengrass components?

1 Answer
1
Accepted Answer

Hi,

This is happening because you did not allow your Greengrass device to make those API calls. I believe the policy you pointed out is the IoT Policy and not IAM. You need to edit the IAM role which the IoT Role Alias points to for your Greengrass device. Read more here: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html.

Cheers,

Michael

AWS
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions