Cannot create a gateway.

Hi Santosh,

Looks like the only step you are missing to make this work is attaching the role to the green grass group.

Refer to "Attach an IAM Role to an AWS IoT Greengrass Group" section within this link https://docs.aws.amazon.com/iot-sitewise/latest/userguide/configure-gateway.html#create-iam-resources

Hope that helps,
Santosh

Hi,
I have already attached the role to the Greengrass group. Still, I got the same error.
PFB the same.

Current service role
GreenGrass Role
Policies attached to this role
AWSGreengrassResourceAccessRolePolicy
AWSLambdaBasicExecutionRole-d56f5b4d-b1bf-4be5-94e8-e20380ce18f9
GreengrassUpdate
SiteWise -- This is the policy for SiteWise.

Thanks,
Santosh

Edited by: SantoshPanda on Jan 15, 2020 1:00 AM

Edited by: SantoshPanda on Jan 15, 2020 1:03 AM

Hi,
However when I used CLI to check the associated role I got an error that there is no associated role to the deployment group. So, I associated it to the group via CLI and now I am successful.
But, I would like to know why the CLI gave me an error when in the console I can see that the role is associated to the group.

Thanks,
Santosh

Hi SantoshPanda,
There are 2 concepts here:

1. Greengrass Service Role
   This is the role you grant AWS Greengrass to assume to access resources in your AWS account. It allows Greengrass group deployments to succeed. Service role association is done at the account level per region.

2. Greengrass Group Role
   This is the role you associate for each of your Greengrass group. It is used and assumed by lambdas within that group to access other AWS services. This association is done at the group level.

The error "Greengrass is not authorized to assume the service role" indicates that your Greengrass Service Role might not be correctly configured. Can you try and confirm the following?

1. With AWS CLI, run the following:

aws greengrass get-service-role-for-account --region <YOUR_REGION>

Check if you have associated a service role for your account in that region. If yes, you should be able to see something like "arn:aws:iam::<ACCOUNT_ID>:role/service-role/<ROLE_NAME>". Note down the role arn/name.
2. With AWS CLI, run the following:

aws iam get-role --role-name <ROLE_NAME> --region <YOUR_REGION>

You should be able to see an output similar to the following:

{
    "Role": {
        "Path": "/",
        "RoleName": "ROLE_NAME",
        "RoleId": "ROLE_ID",
        "Arn": "arn:aws:iam::<ACCOUNT>:role/<ROLE_NAME>",
        "CreateDate": "2019-12-27T18:38:54Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "greengrass.amazonaws.com"  <--- Check here
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "MaxSessionDuration": 3600
    }
}

Verify if the statement allows Greengrass service principal to assume role.

Thanks,
KR-AWS

Thanks for the help. I checked everything was done as mentioned.