- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi there
Has this policy attached to your toke-exchange-role?
If not, attach it and retry. If it attached, maybe try attach AmazonS3FullAccess
policy to your role for test purpose to see if it successfully list objects from S3 with the policy attached.
If yes, it's a good start to further investigate what's wrong with your policy. If not, you probably need to check issues like if your device is using the correct alias pointing to the correct role, etc.
Hi Lihao,
I have double checked and look like everything is correctly configure, the thing cert is attach to an iot policy which assume the role of the token-exchange via an iot alias. i also added s3:* to the policy and the role.
also the device can provision itself, and it can send data to aws iot
here is the thing policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:Connect",
"greengrass:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:AssumeRoleWithCertificate",
"Resource": [
"arn:aws:iot:::rolealias/greengrass-core-token-exchange-role-alias"
]
}
]
}
Hi,
Thank you for sharing more details. Your IoT Thing policy looks correct. Can you confirm that
- the toke exchange role policy is correctly formatted
- the IoT role alias is attached to the correct IAM role with the correct role ARN
- the IAM token exchange role has the right trust policy to assume role (example policy from docs listed below)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "credentials.iot.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Thanks,
Navya.
Hi Navya, thanks for you response.
I found the problem, it was just a silly mistake. i referenced the wrong env variable so it used the wrong bucket
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 8 Monaten