I'm trying to run various AWS CLI commands within my Greengrass component. Even with a maximally permissive policy for my thing I'm running into various errors:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
For aws iot describe-endpoint --endpoint-type iot:CredentialProvider
I get the following error from my component:
An error occurred (AccessDeniedException) when calling the DescribeEndpoint operation: User: arn:aws:sts::[REDACTED]:assumed-role/GreengrassV2TokenExchangeRole/[REDACTED] is not authorized to perform: iot:DescribeEndpoint because no identity-based policy allows the iot:DescribeEndpoint action.
For aws iot-data get-thing-shadow --thing-name my_thing --shadow-name my_shadow_name shadow.json
I get the error:
An error occurred (ForbiddenException) when calling the GetThingShadow operation: None.
For aws s3 cp --recursive --no-progress "${s3_folder_path}" "${download_folder}"
:
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.
However, aws sts get-caller-identity --query Arn --output text
gives the expected correct GreengrassV2TokenExchangeRole
role with a certificate containing the policy shown above.
Are these indicative of a particular issue? Is there a way to test if the policy is being applied as I would expect? Are calls with AWS CLI just not supported within Greengrass components?