Manage Greengrass-V2 Components in central account

0

I'm currently trying to create a component in a tenant account using the artifact packaged in a central account S3 bucket. The tenant account and central account are in the same AWS Organization. I've tried the following settings to enable the tenant accounts to access the S3 bucket:

  1. On the central account S3 bucket (I wasn't sure what Principal Service/User was trying to test this access, so I just "shotgunned" it):
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "greengrass.amazonaws.com",
                        "iot.amazonaws.com",
                        "credentials.iot.amazonaws.com"
                    ]
                },
                "Action": [
                    "s3:GetObject",
                    "s3:GetObjectVersion"
                ],
                "Resource": "arn:aws:s3:::MY-CENTRAL-ACCOUNT-BUCKET/*"
            },
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": [
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:GetObjectTorrent",
                    "s3:GetObjectVersionAcl",
                    "s3:GetObjectAcl"
                ],
                "Resource": "arn:aws:s3:::MY-CENTRAL-ACCOUNT-BUCKET/*",
                "Condition": {
                    "StringEquals": {
                        "aws:PrincipalOrgID": "o-abc123def456"
                    }
                }
            },
            ...
        ]
    }
    
  2. On the GreengrassV2TokenExchangeRole in the tenant account, I've added the AmazonS3FullAccess AWS Managed policy (just to see if I could eliminate this Role as the blocker)

I've verified that, as a User in the tenant account, I have access to the object in S3 and can do aws s3 cp as a tenant User (so the bucket policy doesn't seem to be blocking things).

Whenever I try creating the Component in the tenant account, I'm met with:

Invalid Input: Encountered following errors in Artifacts: {s3://MY-CENTRAL-ACCOUNT-BUCKET/com.example.my-component-name/1.0.0-dev.0/application.zip = Specified artifact resource cannot be accessed}

... using either the AWS IoT Greengrass Console and the AWS CLI.

What am I missing? Is there a different service-linked role, I should be allowing in the S3 Bucket Resource Policy?

It just seems like an access-test during Component creation and not an actual attempt to access the resource. I'm fairly certain if I assumed the Greengrass-TES role, I'd be able to download the artifact too (although I haven't explicitly done that yet).

  • More things that don't work:

    1. I've tried using a presigned URL (just to see if it's even possible) - doesn't work
    2. I've tried adding the following other service principals: ["automation.amazonaws.com","iam.amazonaws.com","credentials.iot.amazonaws.com","iotanalytics.amazonaws.com","account.amazonaws.com","iotevents.amazonaws.com","iotthingsgraph.amazonaws.com","iot.amazonaws.com","access-analyzer.amazonaws.com","greengrass.amazonaws.com","iotsitewise.amazonaws.com"] - don't work
    3. I have updated the S3 Bucket Policy to add s3:ListBucket to all the attempted service principals.
  • I've confirmed using the aws cli that if I assume the GreengrassV2TokenExchangeRole in a tenant account, I can both s3:GetObject and s3:ListBucket on the artifact in the central account.

  • I even made the artifact bucket public with public access and still can't create a component using the artifact...

  • The issue seems to be that my buckets are in us-east-2 and I'm trying to create the components in IoT-Core us-east-1... even within the same account I can't use an artifact from a bucket in us-east-2 to create a component in IoT-Core us-east-1.

  • Turns out this is purely a region issue. A cross-account S3 bucket can be used to create a component as long as the bucket is in the same region as the IoT-Core you're working in... is this a known thing that I missed?

Casey
asked 2 years ago407 views
1 Answer
0
Accepted Answer

Cross account artifacts do seem to work as long as the S3 bucket and IoT-Core regions match. Trying to create a Component in us-east-1 using an artifact from an S3 bucket in us-east-2 does not work (no matter which account the S3 bucket lives in...).

@AWS is this a known issue and are there plans to fix this? It doesn't seem like desirable behavior. For now I'll set up cross-region replication in my central account I guess...

Casey
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions