Running AWS CLI commands within a Greengrass component

I'm trying to run various AWS CLI commands within my Greengrass component. Even with a maximally permissive policy for my thing I'm running into various errors:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

For aws iot describe-endpoint --endpoint-type iot:CredentialProvider I get the following error from my component:

An error occurred (AccessDeniedException) when calling the DescribeEndpoint operation: User: arn:aws:sts::[REDACTED]:assumed-role/GreengrassV2TokenExchangeRole/[REDACTED] is not authorized to perform: iot:DescribeEndpoint because no identity-based policy allows the iot:DescribeEndpoint action.

For aws iot-data get-thing-shadow --thing-name my_thing --shadow-name my_shadow_name shadow.json I get the error:

An error occurred (ForbiddenException) when calling the GetThingShadow operation: None.

For aws s3 cp --recursive --no-progress "${s3_folder_path}" "${download_folder}":

fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.

However, aws sts get-caller-identity --query Arn --output text gives the expected correct GreengrassV2TokenExchangeRole role with a certificate containing the policy shown above.

Are these indicative of a particular issue? Is there a way to test if the policy is being applied as I would expect? Are calls with AWS CLI just not supported within Greengrass components?