I have a setup where I can get device to use fleet provisioning. The device register fine and can deploy an initial deployment including CLI, ShadowManager, TokenExchangeService, mqtt.Bridge. and Nucleus.
I also have a Python component. When I deploy the component locally (CLI) it all works fine.
I then uploaded a zip file of my component (only the needed Python files) to a S3 bucket. adapted the recipe and tried to deploy it in that initial deployment. In that instance I get the following errors
2022-01-20T11:42:04.864Z [ERROR] (pool-2-thread-11) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GGRATokenXchange/credentials, credentialData=TES responded with status code: 400. Caching response. {"message":"Unable to assume the role, or the role to assume does not exist"}}
2022-01-20T11:42:04.882Z [INFO] (pool-2-thread-11) com.aws.greengrass.componentmanager.builtins.S3Downloader: get-bucket-location. task failed and will be retried. {task-attempt=1, componentIdentifier=io.screencloud.SCRDMngt, artifactUri=s3://scrdm.artifacts/io.screencloud.SCRDMngt/1.0.0/scrdm.zip}
With the first message being repeated afterward (There was a stack trace not shown here).
Now, GGRATokenXchange is a role alias for GGRTokenXchange with the following policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"iot:Connect",
"iot:DescribeCertificate",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"s3:ListMultipartUploadParts",
"iot:Receive",
"s3:PutObject",
"logs:CreateLogStream",
"iot:Subscribe",
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"iot:Publish"
],
"Resource": "*"
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::scrdm.artifacts/*"
}
]
}
with scrdm.artifacts the name of the bucket where my component is stored. You'll notice the "s3:GetBucketLocation".
effectiveConfig.yaml seem to have the proper thing name and paths
Can someone please tell me what I am doing wrong?
TIA
François
Thanks for your comment.
The policy attached to the certificate generated when the device registered is:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Subscribe", "iot:Connect", "iot:Receive" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "greengrass:" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": "iot:AssumeRoleWithCertificate", "Resource": "arn:aws:iot:us-east-2:xxxxxxxxxxxx:rolealias/GGRATokenXchange" }, { "Effect": "Allow", "Action": [ "s3:" ], "Resource": [ "" ] } ] }
It has the bit about AssumeRoleWithCertificate