DEV Community

Louis
Louis

Posted on

Greengrass - TES responded with status code: 403

#greengrass #raspberrypi #aws #iot

Deploying a custom greengrass component with docker artifacts to a docker containerized greengrass system resulted in this message. Has there been a similar experience by any users?

2024-06-05T19:37:27.868Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: TES responded with status code: 403. Caching response. {"message":"Access Denied"}. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials}
2024-06-05T19:37:27.870Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials, credentialData=TES responded with status code: 403. Caching response. {"message":"Access Denied"}}
Enter fullscreen mode Exit fullscreen mode

The policy associated with the GreengrassCoreJitpTokenExchangeRoleAlias has been verified, included here for reference.

1st Permission Policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

2nd Permission Policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "s3:GetBucketLocation",
                "ecr:*"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Trust Relationships 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "credentials.iot.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

grunet profile image

Gushing Over AWS Application Load Balancer Access Logs

Grunet -

azayshrestha profile image

Deploying Nuxt 3 App in AWS EC2 with Nginx and PM2

AJAY SHRESTHA -

faangmaster profile image

Некоторые подходы к архитектуре приложений в Amazon

faangmaster -

carlosfilho profile image

Configuração do Elastic Beanstalk para melhorar a tolerância a falhas e o dimensionamento automático

Carlos Filho -