By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Access Denied error when running Greengrass V2 device tester (IDT)

0

While running IDT for my gateway device, I got the following error for StreamManager component:

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXXXXXXXXXXXXXX S3 Extended Request ID: XXXXXXXXXXXXXXX=; Proxy: null). {scriptName=services.aws.greengrass.StreamManager.lifecycle.startup.script, serviceName=aws.greengrass.StreamManager, currentState=RUNNING}

IDT script is creating the roles and s3 buckets on the fly. So its not east to debug via aws console. So I checked cloudtrail. But it seems data events (s3 upload) is not logged in cloudtrail. How can I investigate further ?

Topics
Internet of Things (IoT)StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS IoT GreengrassAmazon Simple Storage ServiceAWS Identity and Access ManagementAWS CloudTrail
Language
English
kiran
asked 2 years ago456 views
2 Answers
0

Hello,

CloudTrail Event History feature supports only management events. The data events do not show up in Event History and they are sent to the S3 bucket directly that is configured for logging the CloudTrail events. I would suggest you to configure your cloudtrail to enable S3 data logging. You can enable data logging by following the steps given in the documentation[1].

Once the data logging is enabled, you would be able to see the S3 data events being sent in the s3 bucket, that will help to understand which specific S3 API call is getting denied and according to that we can check permission on the role/user calling that API.

In case you require resource specific troubleshooting, feel free to raise a case with AWS support team[2].

Reference [1]https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html [2]https://us-east-1.console.aws.amazon.com/support/home?region=us-east-1#

AWS
SUPPORT ENGINEER
AWS-User-6158549
answered 2 years ago
0

Is the proper permissions configured for the role you are using when running IDT?
You can find what permissions your role needs in Step 2: Configure permissions for IDT there is a permission block called s3Resources which lists all the permissions IDT needs. https://docs.aws.amazon.com/greengrass/v2/developerguide/dev-tst-prereqs.html

Another possible cause is the stream manager might be using the wrong credentials for more information you can look at Stream manager qualification errors in https://docs.aws.amazon.com/greengrass/v2/developerguide/idt-troubleshooting.html#stream-manager-qualification-failure

AWS
TianciShen-AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content