I'm currently trying to create a component in a tenant account using the artifact packaged in a central account S3 bucket. The tenant account and central account are in the same AWS Organization. I've tried the following settings to enable the tenant accounts to access the S3 bucket:
- On the central account S3 bucket (I wasn't sure what Principal Service/User was trying to test this access, so I just "shotgunned" it):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"greengrass.amazonaws.com",
"iot.amazonaws.com",
"credentials.iot.amazonaws.com"
]
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::MY-CENTRAL-ACCOUNT-BUCKET/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectTorrent",
"s3:GetObjectVersionAcl",
"s3:GetObjectAcl"
],
"Resource": "arn:aws:s3:::MY-CENTRAL-ACCOUNT-BUCKET/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-abc123def456"
}
}
},
...
]
}
- On the
GreengrassV2TokenExchangeRole
in the tenant account, I've added the AmazonS3FullAccess
AWS Managed policy (just to see if I could eliminate this Role as the blocker)
I've verified that, as a User in the tenant account, I have access to the object in S3 and can do aws s3 cp
as a tenant User (so the bucket policy doesn't seem to be blocking things).
Whenever I try creating the Component in the tenant account, I'm met with:
Invalid Input: Encountered following errors in Artifacts: {s3://MY-CENTRAL-ACCOUNT-BUCKET/com.example.my-component-name/1.0.0-dev.0/application.zip = Specified artifact resource cannot be accessed}
... using either the AWS IoT Greengrass Console and the AWS CLI.
What am I missing? Is there a different service-linked role, I should be allowing in the S3 Bucket Resource Policy?
It just seems like an access-test during Component creation and not an actual attempt to access the resource. I'm fairly certain if I assumed the Greengrass-TES role, I'd be able to download the artifact too (although I haven't explicitly done that yet).
More things that don't work:
s3:ListBucket
to all the attempted service principals.I've confirmed using the
aws cli
that if I assume theGreengrassV2TokenExchangeRole
in a tenant account, I can boths3:GetObject
ands3:ListBucket
on the artifact in the central account.I even made the artifact bucket public with public access and still can't create a component using the artifact...
The issue seems to be that my buckets are in
us-east-2
and I'm trying to create the components in IoT-Coreus-east-1
... even within the same account I can't use an artifact from a bucket inus-east-2
to create a component in IoT-Coreus-east-1
.Turns out this is purely a region issue. A cross-account S3 bucket can be used to create a component as long as the bucket is in the same region as the IoT-Core you're working in... is this a known thing that I missed?