By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

An error occurred (InvalidRequestException) when calling the CreateProvisioningTemplate operation: Access denied during validating provisioning hook, Hook: arn:aws:lambda:ap-southeast-2::f

0

I am trying to create a provisioning template with a hook lambda for greengras v2. and it show this error

here is the command i used:

aws iot create-provisioning-template \
  --template-name GreengrassFleetProvisioningTemplate \
  --description "A provisioning template for Greengrass core devices." \
  --provisioning-role-arn "arn:aws:iam:::role/GreengrassFleetProvisioningRole" \
  --template-body file://greengrass-fleet-provisioning-template.json \
  --pre-provisioning-hook targetArn=arn:aws:lambda:::function:preprovisioning \
  --enabled

and here is the error:

An error occurred (InvalidRequestException) when calling the CreateProvisioningTemplate operation: Access denied during validating provisioning hook, Hook: arn:aws:lambda:ap-southeast-2::function:preprovisioning

i tried to add "lambda:*" to GreengrassFleetProvisioningRole, and i am sure my aws account has all permissions required to do this. Where should i look into to fix this error

Thanks for your time.

Topics
Internet of Things (IoT)
Tags
AWS IoT GreengrassAWS IoT Core
Language
English
AWS-User-6797102
asked 3 years ago1.7K views
2 Answers
1
Accepted Answer

I think the IAM role of your pre-provisioning hook Lambda may be missing a permission. IoT needs permission to invoke the function.

Some good information here in this workshop: https://iot-device-management.workshop.aws/en/provisioning-options/fleet-provisioning.html#optional-pre-provisioning-hook

At this step:

aws lambda add-permission --statement-id $(date '+%Y%m%d%H%M%S') \
	--principal iot.amazonaws.com \
	--action lambda:InvokeFunction \
	--function-name [YOUR_LAMBDA_FUNCTION_NAME]
profile pictureAWS
EXPERT
Greg_B
answered 3 years ago
  • AWS-User-6797102
    3 years ago

    I added that permission in the lambda execution role instead

0

this is for serverless

functions:
  preprovisioning:
    name: preprovisioning
    handler: functions/preprovisioning.lambda_handler
    timeout: 100
resources:
  Resources:
    PermissionToCallHookLambda:
      Type: "AWS::Lambda::Permission"
      Properties: 
        Action: lambda:InvokeFunction
        FunctionName: preprovisioning
        Principal: "iot.amazonaws.com"
AWS-User-6797102
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content