By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Component not deploying on Greengrass Core Device

0

I have a setup where I can get device to use fleet provisioning. The device register fine and can deploy an initial deployment including CLI, ShadowManager, TokenExchangeService, mqtt.Bridge. and Nucleus.

I also have a Python component. When I deploy the component locally (CLI) it all works fine.

I then uploaded a zip file of my component (only the needed Python files) to a S3 bucket. adapted the recipe and tried to deploy it in that initial deployment. In that instance I get the following errors

2022-01-20T11:42:04.864Z [ERROR] (pool-2-thread-11) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GGRATokenXchange/credentials, credentialData=TES responded with status code: 400. Caching response. {"message":"Unable to assume the role, or the role to assume does not exist"}}
2022-01-20T11:42:04.882Z [INFO] (pool-2-thread-11) com.aws.greengrass.componentmanager.builtins.S3Downloader: get-bucket-location. task failed and will be retried. {task-attempt=1, componentIdentifier=io.screencloud.SCRDMngt, artifactUri=s3://scrdm.artifacts/io.screencloud.SCRDMngt/1.0.0/scrdm.zip}

With the first message being repeated afterward (There was a stack trace not shown here). Now, GGRATokenXchange is a role alias for GGRTokenXchange with the following policies

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "iot:Connect",
                "iot:DescribeCertificate",
                "logs:CreateLogGroup",
                "logs:PutLogEvents",
                "s3:ListMultipartUploadParts",
                "iot:Receive",
                "s3:PutObject",
                "logs:CreateLogStream",
                "iot:Subscribe",
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "iot:Publish"
            ],
            "Resource": "*"
        }
    ]
}

and

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::scrdm.artifacts/*"
        }
    ]
}

with scrdm.artifacts the name of the bucket where my component is stored. You'll notice the "s3:GetBucketLocation".

effectiveConfig.yaml seem to have the proper thing name and paths

Can someone please tell me what I am doing wrong?

TIA François

asked 3 years ago731 views
2 Answers
1

What does the AWS IoT Core policy contain that is associated with the core devices certificate? Specifically, do you have the following included:

{
    "Effect": "Allow",
    "Action": "iot:AssumeRoleWithCertificate",
    "Resource": "arn:aws:iot:region:account-id:rolealias/token-exchange-role-alias-name"
},

This allows the TES component access to the AWS IoT Role Alias. More details can be found here.

Let me know if that helps!

AWS
answered 3 years ago
  • Thanks for your comment.

    The policy attached to the certificate generated when the device registered is:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Subscribe", "iot:Connect", "iot:Receive" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "greengrass:" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": "iot:AssumeRoleWithCertificate", "Resource": "arn:aws:iot:us-east-2:xxxxxxxxxxxx:rolealias/GGRATokenXchange" }, { "Effect": "Allow", "Action": [ "s3:" ], "Resource": [ "" ] } ] }

    It has the bit about AssumeRoleWithCertificate

0

Setup a new a account and now it works. Don't ask why.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions