Unable to deploy custom component to core device

Question

Greetings,  
  
I am relatively new to Greengrass, and I'm having trouble understanding an error message I am receiving. I have tried looking online for similar issues, however I haven't found any.  
  
I have created some custom components that should subscribe to messages on a topic (by following the instructions from this link: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-publish-subscribe.html), however when deploying any of these components to a core device, the deployment doesn't complete and I am getting the following error from greengrass.log:  
  
(pool-2-thread-39) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/******/credentials, credentialData=TES responded with status code: 403. Caching response. {"message":"Invalid thing name passed"}}  
  
The artifacts and the recipes of the components can be found on the link above, as the only things I have edited are the locations of the artifacts in the S3 buckets, and the name of the topics to subscribe to. I don't understand what thing name the CredentialRequestHandler considers invalid, as I have not specified any thing names in the components that I tried to deploy. I also checked that the core device does indeed have my credentials stored in a file in the .aws folder, and a policy that grants it access to the S3 bucket.  
  
What am I doing wrong?

Accepted Answer

Hi Albogd,  
  
How did you configure Greengrass when installing? Is the certificate that Greengrass is using associated with the correct IoT thing?  
  
Greengrass does not use the credentials from the .aws folder. We do not recommend that you store credentials on the device itself. Instead, Greengrass uses the an IoT role alias (which is associated to an IAM role ARN) for accessing AWS services. When Greengrass makes a call to an AWS service (such as S3), it gets credentials from the AWS IoT Credential Provider. Greengrass adds the HTTP header
 `x-amzn-iot-thingname`
 to the request and uses the ThingName from the Greengrass configuration.  
  
You can check your
 `/greengrass/v2/config/effectiveConfig.yaml`
 to see what ThingName is being used by Greengrass or look for a log line like:

```
com.aws.greengrass.deployment.IotJobsHelper: Connection established to IoT cloud. {ThingName=}
```

The AWS IoT documentation on authorizing access to AWS (https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html#authorizing-direct-aws.walkthrough) mentions the following:  
 >The ThingName that you provide in x-amzn-iot-thingname must match the name of the AWS IoT Thing resource assigned to a cert. If it doesn't match, a 403 error is returned.   
  
This appears to be the error that you are seeing - which can indicate that the certificate and ThingName in the request do not match.

Unable to deploy custom component to core device

関連するコンテンツ