How to fix `Authorization Failure` error when installing Greengrass Core software on edge device?

0

So I am using fleet provisioning to provision devices from as described in the fleet tempalte. That did work a few times and when today I tried to do it again, I get the following error in Cloud Watch logs:

{
    "timestamp": "2021-12-21 20:59:22.486",
    "logLevel": "ERROR",
    "traceId": "0cdb55f5-2d44-7057-e224-a28735791",
    "accountId": "accound_id",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "b99f2af6-4195-4145-86c4-",
    "principalId": "d4ef80aa40cbed0388db1b682198e9879fd009b8f89cf2037a9853fe",
    "sourceIp": "80.57.107.22",
    "sourcePort": 52891,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}


I have not changed anything from what have worked yesterday.

This is the logs from the edge device:

2021-12-21T20:59:21.997Z [WARN] (main) com.aws.greengrass.deployment.DeviceConfiguration: Error looking up AWS region. {}
software.amazon.awssdk.core.exception.SdkClientException: Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain@c05fddc: [software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@5e2c3d18: Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or  system property (aws.region)., software.amazon.awssdk.regions.providers.AwsProfileRegionProvider@6440112d: No region provided in profile: default, software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider@7e990ed7: Unable to contact EC2 metadata service.]

As far as I can see I have my region properly defined and if it was not defined well, it should have given me this exception the first time which it did not since it worked before.

This is my IoT Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect",
        "greengrass:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:AssumeRoleWithCertificate",
      "Resource": "arn:aws:iot:region:accoun_id:rolealias/GGCV2TokenExchangeRoleAlias"
    }
  ]
}

Fleet Provisioning Template:

{
  "Parameters": {
    "ThingName": {
      "Type": "String"
    },
    "ThingGroupName": {
      "Type": "String"
    },
    "AWS::IoT::Certificate::Id": {
      "Type": "String"
    }
  },
  "Resources": {
    "certificate": {
      "Properties": {
        "CertificateId": {
          "Ref": "AWS::IoT::Certificate::Id"
        },
        "Status": "Active"
      },
      "Type": "AWS::IoT::Certificate"
    },
    "policy": {
      "Properties": {
        "PolicyName": "GGCV2IoTThingPolicy"
      },
      "Type": "AWS::IoT::Policy"
    },
    "thing": {
      "OverrideSettings": {
        "AttributePayload": "MERGE",
        "ThingGroups": "DO_NOTHING",
        "ThingTypeName": "REPLACE"
      },
      "Properties": {
        "AttributePayload": {},
        "ThingGroups": [],
        "ThingName": {
          "Fn::Join": [
            "",
            [
              "Prefix_",
              {
                "Ref": "ThingName"
              }
            ]
          ]
        }
      },
      "Type": "AWS::IoT::Thing"
    }
  }
}

Greengrass Config file:

services:
  aws.greengrass.Nucleus:
    version: "2.5.2"
  aws.greengrass.FleetProvisioningByClaim:
    configuration:
      rootPath: /greengrass/v2
      awsRegion: "region"
      iotDataEndpoint: "endpoint"
      iotCredentialEndpoint: "credentialsPoint"
      iotRoleAlias: "GGCV2TokenExchangeRoleAlias"
      provisioningTemplate: "GGCV2FleetProvisioning"
      claimCertificatePath: "/greengrass/v2/claim-certs/claim.pem.crt"
      claimCertificatePrivateKeyPath: "/greengrass/v2/claim-certs/claim.private.pem.key"
      rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
      templateParameters:
        ThingName: "MyGreengrassCore"
        ThingGroupName: "MyGreengrassCoreGroup"
asked 2 years ago768 views
1 Answer
0

2021-12-22T17:55:52.354Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DockerApplicationManagerService. {} 2021-12-22T17:55:52.354Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DeploymentService. {} 2021-12-22T17:55:52.355Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: UpdateSystemPolicyService. {} 2021-12-22T17:55:52.356Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: FleetStatusService. {} 2021-12-22T17:55:52.356Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TelemetryAgent. {} 2021-12-22T17:55:52.357Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TokenExchangeService. {} 2021-12-22T17:55:52.387Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DockerApplicationManagerService. {} 2021-12-22T17:55:52.387Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DeploymentService. {} 2021-12-22T17:55:52.387Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: UpdateSystemPolicyService. {} 2021-12-22T17:55:52.387Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: FleetStatusService. {} 2021-12-22T17:55:52.388Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TelemetryAgent. {} 2021-12-22T17:55:52.388Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TokenExchangeService. {} 2021-12-22T17:55:52.388Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: serviceImplementors: {UpdateSystemPolicyService:class com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService...}. {} 2021-12-22T17:55:52.390Z [INFO] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=aws.greengrass.Nucleus} 2021-12-22T17:55:52.392Z [INFO] (pool-2-thread-2) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Running provisioning plugin: aws.greengrass.FleetProvisioningByClaim. {} 2021-12-22T17:55:52.407Z [INFO] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=main} 2021-12-22T17:55:52.412Z [INFO] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=DeploymentService} 2021-12-22T17:55:52.750Z [ERROR] (pool-2-thread-2) com.aws.greengrass.FutureExceptionHandler: [Ljava.lang.String;@6fd122d2. {} java.util.concurrent.ExecutionException: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357) at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1928) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:56) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:39) at com.aws.greengrass.FleetProvisioningByClaimPlugin.updateIdentityConfiguration(FleetProvisioningByClaimPlugin.java:139) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$1(KernelLifecycle.java:189) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$2(KernelLifecycle.java:188) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)

2021-12-22T17:55:52.751Z [ERROR] (pool-2-thread-2) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Caught exception while running provisioning plugin. Moving on to run Greengrass without provisioning. {} java.lang.RuntimeException: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:69) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:39) at com.aws.greengrass.FleetProvisioningByClaimPlugin.updateIdentityConfiguration(FleetProvisioningByClaimPlugin.java:139) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$1(KernelLifecycle.java:189) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$2(KernelLifecycle.java:188) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)

2021-12-22T17:55:52.911Z [WARN] (main) com.aws.greengrass.deployment.IotJobsHelper: Device not configured to talk to AWS Iot cloud. IOT job deployment is offline. {errorMessage=[thingName cannot be empty, certificateFilePath cannot be empty, privateKeyPath cannot be empty, rootCaPath cannot be empty, iotDataEndpoint cannot be empty, iotCredEndpoint cannot be empty]} 2021-12-22T17:55:52.918Z [WARN] (main) com.aws.greengrass.deployment.ShadowDeploymentListener: Device not configured to talk to AWS Iot cloud. Single device deployment is offline. {} 2021-12-22T17:55:52.919Z [INFO] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=UpdateSystemPolicyService} 2021-12-22T17:55:52.920Z [INFO] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=TelemetryAgent} 2021-12-22T17:55:53.002Z [INFO] (main) com.aws.greengrass.lifecyclemanager.Kernel: effective-config-dump-complete. {file=/greengrass/v6/config/effectiveConfig.yaml} 2021-12-22T17:55:53.002Z [INFO] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: system-start. {main=services.main:NEW} 2021-12-22T17:55:53.005Z [INFO] (UpdateSystemPolicyService-lifecycle) com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=NEW, newState=INSTALLED} 2021-12-22T17:55:53.006Z [INFO] (UpdateSystemPolicyService-lifecycle) com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=INSTALLED, newState=STARTING} 2021-12-22T17:55:53.007Z [INFO] (UpdateSystemPolicyService-lifecycle) com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=STARTING, newState=RUNNING}

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions