- Newest
- Most votes
- Most comments
Hi,
The problem is that get-session-token
does not allow any calls to IAM unless MFA authentication information is provided as part of the request as described in the documentation here: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html.
You can use long lived credentials, pass MFA authentication to STS, or use one of the other supported provisioning methods such as fleet provisioning https://docs.aws.amazon.com/greengrass/v2/developerguide/fleet-provisioning.html or JITP https://docs.aws.amazon.com/iot/latest/developerguide/jit-provisioning.html
You can also create and later deactivate long term credentials as another possibility.
Confirmed solution. When using the MFA token in getting temp creds, I am able to provision. (I think GG docs should be updated to say this is required.) I did however have to pass the creds using the system properties method. Environmental vars still didn't work. I can live with that.
I wanted to add a Thank you Michael for working through this with me. I really appreciate it.
You're very welcome, sorry it took so long to get to the bottom of it, but I'm glad that we found a solution for you (MFA). I'll also check with our docs team about adding this information.
Few pointes for you to consider:
1/ I am assuming you are following the guidelines as in this documentation, but re-checking. https://docs.aws.amazon.com/greengrass/v2/developerguide/quick-installation.html#provide-installer-aws-credentials
2/ Can you try provisioning with an IAM user's set of credentials temporarily with the AdministratorAccess IAM policy (you can remove after Greengrass has successfully provisioned).
3/ Follow the Troubleshooting AWS IoT Greengrass guide. It has specific section for the temporary credentials fail https://docs.aws.amazon.com/greengrass/v2/developerguide/troubleshooting.html
Yes on all 3.
On #2, see my comment that I confirm the devices are provisioning when using the long term creds of the user. But not when using temporary. On #3, see my comment that the temp credentials are in fact being applied correctly. The devices can use those temp credentials to do other things, like list S3 buckets, etc. They just can't autoprovision.
Relevant content
- asked a year ago
- Accepted Answerasked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hey AWS-Frenzy - to help us try to reproduce your issue, can you provide some the exact steps you're following, as well as the provisioning command you're using? Thanks
For JoeAtAWS:
I am using the standard command that creating a new Greengrass device creates:
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar --aws-region us-east-1 --thing-name Thing1 --thing-group-name Goup1 --component-default-user ggc_user:ggc_group --provision true --setup-system-service true --deploy-dev-tools true
Sorry Joe, you asked for exact steps. I'll list them out.
That is when I get the: Attaching TES role policy to IoT thing... Exiting due to unexpected error while looking up managed policy - The security token included in the request is invalid (Service: Iam, Status Code: 403
Do you have credentials on the device in some other way in addition to the environment variables? For example, a profile file in ~/.aws/credentials, EC2 instance credentials, or SSM credentials?
Negative. There are no other credentials on these devices other then what we added to the exported vars.
I ask this kindly to anyone at AWS, can you simply try to provision your own device using temp credentials and see if it works with the current Nucleus code?