- Newest
- Most votes
- Most comments
Hi Santosh,
Looks like the only step you are missing to make this work is attaching the role to the green grass group.
Refer to "Attach an IAM Role to an AWS IoT Greengrass Group" section within this link https://docs.aws.amazon.com/iot-sitewise/latest/userguide/configure-gateway.html#create-iam-resources
Hope that helps,
Santosh
Hi,
I have already attached the role to the Greengrass group. Still, I got the same error.
PFB the same.
Current service role
GreenGrass Role
Policies attached to this role
AWSGreengrassResourceAccessRolePolicy
AWSLambdaBasicExecutionRole-d56f5b4d-b1bf-4be5-94e8-e20380ce18f9
GreengrassUpdate
SiteWise -- This is the policy for SiteWise.
Thanks,
Santosh
Edited by: SantoshPanda on Jan 15, 2020 1:00 AM
Edited by: SantoshPanda on Jan 15, 2020 1:03 AM
Hi,
However when I used CLI to check the associated role I got an error that there is no associated role to the deployment group. So, I associated it to the group via CLI and now I am successful.
But, I would like to know why the CLI gave me an error when in the console I can see that the role is associated to the group.
Thanks,
Santosh
Hi SantoshPanda,
There are 2 concepts here:
-
Greengrass Service Role
This is the role you grant AWS Greengrass to assume to access resources in your AWS account. It allows Greengrass group deployments to succeed. Service role association is done at the account level per region. -
Greengrass Group Role
This is the role you associate for each of your Greengrass group. It is used and assumed by lambdas within that group to access other AWS services. This association is done at the group level.
The error "Greengrass is not authorized to assume the service role" indicates that your Greengrass Service Role might not be correctly configured. Can you try and confirm the following?
- With AWS CLI, run the following:
aws greengrass get-service-role-for-account --region <YOUR_REGION>
Check if you have associated a service role for your account in that region. If yes, you should be able to see something like "arn:aws:iam::<ACCOUNT_ID>:role/service-role/<ROLE_NAME>". Note down the role arn/name.
2. With AWS CLI, run the following:
aws iam get-role --role-name <ROLE_NAME> --region <YOUR_REGION>
You should be able to see an output similar to the following:
{
"Role": {
"Path": "/",
"RoleName": "ROLE_NAME",
"RoleId": "ROLE_ID",
"Arn": "arn:aws:iam::<ACCOUNT>:role/<ROLE_NAME>",
"CreateDate": "2019-12-27T18:38:54Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "greengrass.amazonaws.com" <--- Check here
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
}
Verify if the statement allows Greengrass service principal to assume role.
Thanks,
KR-AWS
Relevant content
- Accepted Answerasked 3 months ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago