Deploying a custom greengrass component with docker artifacts to a docker containerized greengrass system resulted in this message. Has there been a similar experience by any users?
2024-06-05T19:37:27.868Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: TES responded with status code: 403. Caching response. {“message”:”Access Denied”}. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials}
2024-06-05T19:37:27.870Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials, credentialData=TES responded with status code: 403. Caching response. {“message”:”Access Denied”}}
2024-06-05T19:37:27.870Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials, credentialData=TES responded with status code: 403. Caching response. {“message”:”Access Denied”}}
The policy associated with the GreengrassCoreJitpTokenExchangeRoleAlias has been verified, included here for reference.
1st Permission Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ecr:GetAuthorizationToken”,
“ecr:BatchCheckLayerAvailability”,
“ecr:GetDownloadUrlForLayer”,
“ecr:GetRepositoryPolicy”,
“ecr:DescribeRepositories”,
“ecr:ListImages”,
“ecr:DescribeImages”,
“ecr:BatchGetImage”,
“ecr:GetLifecyclePolicy”,
“ecr:GetLifecyclePolicyPreview”,
“ecr:ListTagsForResource”,
“ecr:DescribeImageScanFindings”
],
“Resource”: “*”
}
]
}
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ecr:GetAuthorizationToken”,
“ecr:BatchCheckLayerAvailability”,
“ecr:GetDownloadUrlForLayer”,
“ecr:GetRepositoryPolicy”,
“ecr:DescribeRepositories”,
“ecr:ListImages”,
“ecr:DescribeImages”,
“ecr:BatchGetImage”,
“ecr:GetLifecyclePolicy”,
“ecr:GetLifecyclePolicyPreview”,
“ecr:ListTagsForResource”,
“ecr:DescribeImageScanFindings”
],
“Resource”: “*”
}
]
}
2nd Permission Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”,
“logs:DescribeLogStreams”,
“s3:GetBucketLocation”,
“ecr:*”
],
“Resource”: “*”
}
]
}
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”,
“logs:DescribeLogStreams”,
“s3:GetBucketLocation”,
“ecr:*”
],
“Resource”: “*”
}
]
}
Trust Relationships
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: “credentials.iot.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: “credentials.iot.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}
