Permission issue with boto3 on greengrass v2 device

0

Hi there,

I am have this error

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied. {scriptName=services.media_camera.lifecycle.Run, serviceName=media_camera, currentState=RUNNING}

here is my toke-exchange-role

RealiteGGTokenAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "realite-greengrassv2-token-exchange-access-policy"
      Description: "Allow gg device core to use AWS backend services"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - iot:DescribeCertificate
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
              - s3:GetBucketLocation
              - s3:PutObject
              - s3:GetObject
              - s3:ListBucket
              - s3:ListObjects
              - kinesis:PutRecords

            Resource: "*"

          - Effect: Allow
            Action:
              - secretsmanager:GetSecretValue
            Resource:
              - Fn::ImportValue: !Sub ${EnvironmentTag}:RealiteSecretsCameraCredentialsSecret
      Roles:
        - !Ref RealiteGGTokenAccessRole

I wonder where can that permission come from

Thanks for your help

已提問 2 年前檢視次數 437 次
4 個答案
2

Hi there Has this policy attached to your toke-exchange-role? If not, attach it and retry. If it attached, maybe try attach AmazonS3FullAccess policy to your role for test purpose to see if it successfully list objects from S3 with the policy attached. If yes, it's a good start to further investigate what's wrong with your policy. If not, you probably need to check issues like if your device is using the correct alias pointing to the correct role, etc.

Lihao
已回答 2 年前
0

Hi Lihao,

I have double checked and look like everything is correctly configure, the thing cert is attach to an iot policy which assume the role of the token-exchange via an iot alias. i also added s3:* to the policy and the role.

also the device can provision itself, and it can send data to aws iot

here is the thing policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect",
        "greengrass:*",
        "s3:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:AssumeRoleWithCertificate",
      "Resource": [
        "arn:aws:iot:::rolealias/greengrass-core-token-exchange-role-alias"
      ]
    }
  ]
}
已回答 2 年前
0

Hi,

Thank you for sharing more details. Your IoT Thing policy looks correct. Can you confirm that

  1. the toke exchange role policy is correctly formatted
  2. the IoT role alias is attached to the correct IAM role with the correct role ARN
  3. the IAM token exchange role has the right trust policy to assume role (example policy from docs listed below)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "credentials.iot.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Thanks,
Navya.

AWS
已回答 2 年前
0

Hi Navya, thanks for you response.

I found the problem, it was just a silly mistake. i referenced the wrong env variable so it used the wrong bucket

已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南