Setting up Greengrass core device fails

0

I am following

https://docs.aws.amazon.com/greengrass/v2/developerguide/quick-installation.html?icmpid=docs_gg_console#provide-installer-aws-credentials

with "Use long-term credentials from an IAM user:", and am getting this error:

[ggc_user@localhost Downloads]$ sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar --aws-region us-east-1 --thing-name aws-greengrass-core --thing-group-name GreengrassQuickStartGroup --component-default-user ggc_user:ggc_group --provision true --setup-system-service true --deploy-dev-tools true
[sudo] password for ggc_user:
Provisioning AWS IoT resources for the device with IoT Thing Name: [aws-greengrass-core]...
Creating new IoT policy "GreengrassV2IoTThingPolicy"
Creating keys and certificate...
Attaching policy to certificate...
Creating IoT Thing "aws-greengrass-core"...
Attaching certificate to IoT thing...
Successfully provisioned AWS IoT resources for the device with IoT Thing Name: [aws-greengrass-core]!
Adding IoT Thing [aws-greengrass-core] into Thing Group: [GreengrassQuickStartGroup]...
Successfully added Thing into Thing Group: [GreengrassQuickStartGroup]
Setting up resources for aws.greengrass.TokenExchangeService ...
TES role alias "GreengrassV2TokenExchangeRoleAlias" does not exist, creating new alias...
Error while trying to setup Greengrass Nucleus
software.amazon.awssdk.services.iam.model.IamException: User: arn:aws:iam::409128494776:user/AWS_tutorial_user is not authorized to perform: iam:GetRole on resource: role GreengrassV2TokenExchangeRole because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: c80df0ec-c733-4b37-ad0f-5142849d1f69)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
        at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)
... skipped MANY more lines of stack trace
        Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 4 failure: User: arn:aws:iam::409128494776:user/AWS_tutorial_user is not authorized to perform: iam:GetRole on resource: role GreengrassV2TokenExchangeRole because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 996260cd-16ca-4750-9acb-71df76658acc)
        Suppressed: software.amazon.awssdk.core.exception.SdkClientException: Request attempt 5 failure: User: arn:aws:iam::409128494776:user/AWS_tutorial_user is not authorized to perform: iam:GetRole on resource: role GreengrassV2TokenExchangeRole because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 21d68b6d-3b79-42ae-ae1c-7a785db21c6c)

What do I need to do?

asked 5 months ago196 views
2 Answers
0

Seems like the role GreengrassV2TokenExchangeRole doesn't have right permissions to grant access to IOT services (IOT Core). Please check if the role has policy attached GreengrassV2TokenExchangeRoleAccess and a trust relationship that allows credentials.iot.amazonaws.com to assume the role. The policy includes the minimum permissions for the core device.

More details can be found here: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html

profile pictureAWS
cloudyy
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
0

Hi. The problem is the permissions that AWS_tutorial_user has.

Please refer to here: https://docs.aws.amazon.com/greengrass/v2/developerguide/quick-installation.html#provide-installer-aws-credentials.

Provide your AWS credentials to your device so that the installer can provision the required AWS resources. For more information about the required permissions, see Minimal IAM policy for installer to provision resources.

So, to perform the Greengrass quick/automatic provisioning, the AWS CLI credentials on the device must have this minimal policy: https://docs.aws.amazon.com/greengrass/v2/developerguide/provision-minimal-iam-policy.html.

The error you're suffering indicates that your AWS_tutorial_user user does not have iam:GetRole permission.

profile pictureAWS
EXPERT
Greg_B
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions