By using AWS re:Post, you agree to the Terms of Use
/How to fix `Authorization Failure` error when installing Greengrass Core software on edge device?/

How to fix `Authorization Failure` error when installing Greengrass Core software on edge device?

0

So I am using fleet provisioning to provision devices from as described in the fleet tempalte. That did work a few times and when today I tried to do it again, I get the following error in Cloud Watch logs:

{
    "timestamp": "2021-12-21 20:59:22.486",
    "logLevel": "ERROR",
    "traceId": "0cdb55f5-2d44-7057-e224-a28735791",
    "accountId": "accound_id",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "b99f2af6-4195-4145-86c4-",
    "principalId": "d4ef80aa40cbed0388db1b682198e9879fd009b8f89cf2037a9853fe",
    "sourceIp": "80.57.107.22",
    "sourcePort": 52891,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

I have not changed anything from what have worked yesterday.

This is the logs from the edge device:

2021-12-21T20:59:21.997Z [WARN] (main) com.aws.greengrass.deployment.DeviceConfiguration: Error looking up AWS region. {}
software.amazon.awssdk.core.exception.SdkClientException: Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain@c05fddc: [software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@5e2c3d18: Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or  system property (aws.region)., software.amazon.awssdk.regions.providers.AwsProfileRegionProvider@6440112d: No region provided in profile: default, software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider@7e990ed7: Unable to contact EC2 metadata service.]

As far as I can see I have my region properly defined and if it was not defined well, it should have given me this exception the first time which it did not since it worked before.

This is my IoT Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect",
        "greengrass:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:AssumeRoleWithCertificate",
      "Resource": "arn:aws:iot:region:accoun_id:rolealias/GGCV2TokenExchangeRoleAlias"
    }
  ]
}

Fleet Provisioning Template:

{
  "Parameters": {
    "ThingName": {
      "Type": "String"
    },
    "ThingGroupName": {
      "Type": "String"
    },
    "AWS::IoT::Certificate::Id": {
      "Type": "String"
    }
  },
  "Resources": {
    "certificate": {
      "Properties": {
        "CertificateId": {
          "Ref": "AWS::IoT::Certificate::Id"
        },
        "Status": "Active"
      },
      "Type": "AWS::IoT::Certificate"
    },
    "policy": {
      "Properties": {
        "PolicyName": "GGCV2IoTThingPolicy"
      },
      "Type": "AWS::IoT::Policy"
    },
    "thing": {
      "OverrideSettings": {
        "AttributePayload": "MERGE",
        "ThingGroups": "DO_NOTHING",
        "ThingTypeName": "REPLACE"
      },
      "Properties": {
        "AttributePayload": {},
        "ThingGroups": [],
        "ThingName": {
          "Fn::Join": [
            "",
            [
              "Prefix_",
              {
                "Ref": "ThingName"
              }
            ]
          ]
        }
      },
      "Type": "AWS::IoT::Thing"
    }
  }
}

Greengrass Config file:

services:
  aws.greengrass.Nucleus:
    version: "2.5.2"
  aws.greengrass.FleetProvisioningByClaim:
    configuration:
      rootPath: /greengrass/v2
      awsRegion: "region"
      iotDataEndpoint: "endpoint"
      iotCredentialEndpoint: "credentialsPoint"
      iotRoleAlias: "GGCV2TokenExchangeRoleAlias"
      provisioningTemplate: "GGCV2FleetProvisioning"
      claimCertificatePath: "/greengrass/v2/claim-certs/claim.pem.crt"
      claimCertificatePrivateKeyPath: "/greengrass/v2/claim-certs/claim.private.pem.key"
      rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
      templateParameters:
        ThingName: "MyGreengrassCore"
        ThingGroupName: "MyGreengrassCoreGroup"
1 Answers
0

2021-12-22T17:55:52.354Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DockerApplicationManagerService. {} 2021-12-22T17:55:52.354Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DeploymentService. {} 2021-12-22T17:55:52.355Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: UpdateSystemPolicyService. {} 2021-12-22T17:55:52.356Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: FleetStatusService. {} 2021-12-22T17:55:52.356Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TelemetryAgent. {} 2021-12-22T17:55:52.357Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TokenExchangeService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DockerApplicationManagerService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: DeploymentService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: UpdateSystemPolicyService. {} 2021-12-22T17:55:52.387Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: FleetStatusService. {} 2021-12-22T17:55:52.388Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TelemetryAgent. {} 2021-12-22T17:55:52.388Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: TokenExchangeService. {} 2021-12-22T17:55:52.388Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: serviceImplementors: {UpdateSystemPolicyService:class com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService...}. {} 2021-12-22T17:55:52.390Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=aws.greengrass.Nucleus} 2021-12-22T17:55:52.392Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: Running provisioning plugin: aws.greengrass.FleetProvisioningByClaim. {} 2021-12-22T17:55:52.407Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=main} 2021-12-22T17:55:52.412Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=DeploymentService} 2021-12-22T17:55:52.750Z ERROR com.aws.greengrass.FutureExceptionHandler: [Ljava.lang.String;@6fd122d2. {} java.util.concurrent.ExecutionException: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357) at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1928) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:56) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:39) at com.aws.greengrass.FleetProvisioningByClaimPlugin.updateIdentityConfiguration(FleetProvisioningByClaimPlugin.java:139) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$1(KernelLifecycle.java:189) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$2(KernelLifecycle.java:188) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)

2021-12-22T17:55:52.751Z ERROR com.aws.greengrass.lifecyclemanager.KernelLifecycle: Caught exception while running provisioning plugin. Moving on to run Greengrass without provisioning. {} java.lang.RuntimeException: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:69) at com.aws.greengrass.FutureExceptionHandler.getFutureAfterCompletion(FutureExceptionHandler.java:39) at com.aws.greengrass.FleetProvisioningByClaimPlugin.updateIdentityConfiguration(FleetProvisioningByClaimPlugin.java:139) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$1(KernelLifecycle.java:189) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.lifecyclemanager.KernelLifecycle.lambda$executeProvisioningPlugin$2(KernelLifecycle.java:188) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: The connection was closed unexpectedly. at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)

2021-12-22T17:55:52.911Z WARN com.aws.greengrass.deployment.IotJobsHelper: Device not configured to talk to AWS Iot cloud. IOT job deployment is offline. {errorMessage=thingName cannot be empty, certificateFilePath cannot be empty, privateKeyPath cannot be empty, rootCaPath cannot be empty, iotDataEndpoint cannot be empty, iotCredEndpoint cannot be empty} 2021-12-22T17:55:52.918Z WARN com.aws.greengrass.deployment.ShadowDeploymentListener: Device not configured to talk to AWS Iot cloud. Single device deployment is offline. {} 2021-12-22T17:55:52.919Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=UpdateSystemPolicyService} 2021-12-22T17:55:52.920Z INFO com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=TelemetryAgent} 2021-12-22T17:55:53.002Z INFO com.aws.greengrass.lifecyclemanager.Kernel: effective-config-dump-complete. {file=/greengrass/v6/config/effectiveConfig.yaml} 2021-12-22T17:55:53.002Z INFO com.aws.greengrass.lifecyclemanager.KernelLifecycle: system-start. {main=services.main:NEW} 2021-12-22T17:55:53.005Z INFO com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=NEW, newState=INSTALLED} 2021-12-22T17:55:53.006Z INFO com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=INSTALLED, newState=STARTING} 2021-12-22T17:55:53.007Z INFO com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-set-state. {serviceName=UpdateSystemPolicyService, currentState=STARTING, newState=RUNNING}

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions