How to fix `Authorization Failure` error when installing Greengrass Core software on edge device?
So I am using fleet provisioning to provision devices from as described in the fleet tempalte. That did work a few times and when today I tried to do it again, I get the following error in Cloud Watch logs:
{
"timestamp": "2021-12-21 20:59:22.486",
"logLevel": "ERROR",
"traceId": "0cdb55f5-2d44-7057-e224-a28735791",
"accountId": "accound_id",
"status": "Failure",
"eventType": "Connect",
"protocol": "MQTT",
"clientId": "b99f2af6-4195-4145-86c4-",
"principalId": "d4ef80aa40cbed0388db1b682198e9879fd009b8f89cf2037a9853fe",
"sourceIp": "80.57.107.22",
"sourcePort": 52891,
"reason": "AUTHORIZATION_FAILURE",
"details": "Authorization Failure"
}I have not changed anything from what have worked yesterday.
This is the logs from the edge device:
2021-12-21T20:59:21.997Z [WARN] (main) com.aws.greengrass.deployment.DeviceConfiguration: Error looking up AWS region. {}
software.amazon.awssdk.core.exception.SdkClientException: Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain@c05fddc: [software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@5e2c3d18: Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or system property (aws.region)., software.amazon.awssdk.regions.providers.AwsProfileRegionProvider@6440112d: No region provided in profile: default, software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider@7e990ed7: Unable to contact EC2 metadata service.]As far as I can see I have my region properly defined and if it was not defined well, it should have given me this exception the first time which it did not since it worked before.
This is my IoT Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:Connect",
"greengrass:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iot:AssumeRoleWithCertificate",
"Resource": "arn:aws:iot:region:accoun_id:rolealias/GGCV2TokenExchangeRoleAlias"
}
]
}Fleet Provisioning Template:
{
"Parameters": {
"ThingName": {
"Type": "String"
},
"ThingGroupName": {
"Type": "String"
},
"AWS::IoT::Certificate::Id": {
"Type": "String"
}
},
"Resources": {
"certificate": {
"Properties": {
"CertificateId": {
"Ref": "AWS::IoT::Certificate::Id"
},
"Status": "Active"
},
"Type": "AWS::IoT::Certificate"
},
"policy": {
"Properties": {
"PolicyName": "GGCV2IoTThingPolicy"
},
"Type": "AWS::IoT::Policy"
},
"thing": {
"OverrideSettings": {
"AttributePayload": "MERGE",
"ThingGroups": "DO_NOTHING",
"ThingTypeName": "REPLACE"
},
"Properties": {
"AttributePayload": {},
"ThingGroups": [],
"ThingName": {
"Fn::Join": [
"",
[
"Prefix_",
{
"Ref": "ThingName"
}
]
]
}
},
"Type": "AWS::IoT::Thing"
}
}
}Greengrass Config file:
services:
aws.greengrass.Nucleus:
version: "2.5.2"
aws.greengrass.FleetProvisioningByClaim:
configuration:
rootPath: /greengrass/v2
awsRegion: "region"
iotDataEndpoint: "endpoint"
iotCredentialEndpoint: "credentialsPoint"
iotRoleAlias: "GGCV2TokenExchangeRoleAlias"
provisioningTemplate: "GGCV2FleetProvisioning"
claimCertificatePath: "/greengrass/v2/claim-certs/claim.pem.crt"
claimCertificatePrivateKeyPath: "/greengrass/v2/claim-certs/claim.private.pem.key"
rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
templateParameters:
ThingName: "MyGreengrassCore"
ThingGroupName: "MyGreengrassCoreGroup"Hey, which configuration do you mean? The fleet provisioning template? I will add that now.
I mean the configuration for Greengrass. When you run Greengrass and use fleet provisioning you need to provide a configuration to Greengrass. Please provide that.
Aside from the warning about region, is there any error in the Greengrass logs?
Hey, now I see. I added the config file. The region error is the only error shown in the greengrass.log plus the fact that it leads to mqtt shutting down.
The config file which you provided has placeholders which you should fill out. Did you fill those in? https://docs.aws.amazon.com/greengrass/v2/developerguide/fleet-provisioning.html#:~:text=Then%2C%20do%20the%20following%3A
Please provide all of the logs in greengrass.log
2021-12-22T17:55:52.354Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DockerApplicationManagerService. {} 2021-12-22T17:55:52.354Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DeploymentService. {} 2021-12-22T17:55:52.355Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: UpdateSystemPolicyService. {} 2021-12-22T17:55:52.356Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: FleetStatusService. {} 2021-12-22T17:55:52.356Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TelemetryAgent. {} 2021-12-22T17:55:52.357Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TokenExchangeService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DockerApplicationManagerService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DeploymentService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: UpdateSystemPolicyService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: FleetStatusService. {} 2021-12-22T17:55:52.388Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TelemetryAgent. {} 2021-12-22T17:55:52.388Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TokenExchangeService. {} 2021-12-22T17:55:52.388Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: serviceImplementors: {UpdateSystemPolicyService:class com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService...}. {} 2021-12-22T17:55:52.390Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=aws.greengrass.Nucleus} 2021-12-22T17:55:52.392Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Running provisioning plugin: aws.greengrass.FleetProvisioningByClaim. {} 2021-12-22T17:55:52.407Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=main} 2021-12-22T17:55:52.412Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=DeploymentService} 2021-12-22T17:55:52.750Z ERROR com.aws.greengrass.FutureExceptionHandler: [Ljava.lang.String;@6fd122d2. {} java.util.concurrent.ExecutionException: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357) at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1928) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:56) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:39) at com.aws.greengrass.FleetProvisioningByClaimPlugin.updateIdentityConfiguration(FleetProvisioningByClaimPlugin.java:139) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$1(KernelLifecycle.java:189) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$2(KernelLifecycle.java:188) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)
2021-12-22T17:55:52.751Z ERROR com.aws.greengrass.lifecyclemanager.KernelLifecycle: Caught exception while running provisioning plugin. Moving on to run Greengrass without provisioning. {} java.lang.RuntimeException: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:69) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:39) at com.aws.greengrass.FleetProvisioningByClaimPlugin.updateIdentityConfiguration(FleetProvisioningByClaimPlugin.java:139) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$1(KernelLifecycle.java:189) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$2(KernelLifecycle.java:188) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)
2021-12-22T17:55:52.911Z WARN com.aws.greengrass.deployment.IotJobsHelper: Device not configured to talk to AWS Iot cloud. IOT job deployment is offline. {errorMessage=thingName cannot be empty, certificateFilePath cannot be empty, privateKeyPath cannot be empty, rootCaPath cannot be empty, iotDataEndpoint cannot be empty, iotCredEndpoint cannot be empty} 2021-12-22T17:55:52.918Z WARN com.aws.greengrass.deployment.ShadowDeploymentListener: Device not configured to talk to AWS Iot cloud. Single device deployment is offline. {} 2021-12-22T17:55:52.919Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=UpdateSystemPolicyService} 2021-12-22T17:55:52.920Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=TelemetryAgent} 2021-12-22T17:55:53.002Z INFO com.aws.greengrass.lifecyclemanager.Kernel: effective-config-dump-complete. {file=/greengrass/v6/config/effectiveConfig.yaml} 2021-12-22T17:55:53.002Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: system-start. {main=services.main:NEW} 2021-12-22T17:55:53.005Z INFO com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=NEW, newState=INSTALLED} 2021-12-22T17:55:53.006Z INFO com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=INSTALLED, newState=STARTING} 2021-12-22T17:55:53.007Z INFO com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=STARTING, newState=RUNNING}
Relevant questions
Just in time provisioning for Greengrass v2 core devices
Accepted Answerasked 5 months agoGreengrass V2 positioning for new device
asked 3 months agoPushing Deployment to device provisioning a second time
Accepted Answerasked 2 months agoFailure to monitor connection status of local client devices from IoT Core
Accepted Answerasked 2 months agoHow to automate the creation of Greengrass Core Device Shadow with fleet provisioning?
asked 5 months agoHow to fix `Authorization Failure` error when installing Greengrass Core software on edge device?
asked 5 months agoGreengrass v2 fleet provisioning retry in case of lack of the Internet connection.
Accepted Answerasked 2 months agoDefinition: Greengrass Core vs Greengrass Group?
Accepted AnswerFleet Provisioning -- Greengrass Core installation Issue
asked 7 months agoConfiguring Edge device for direct or via gateway communication
asked a year ago
Can you please provide the configuration which you used?