DEV Community

Louis
Louis

Posted on

Greengrass - TES responded with status code: 403

#greengrass #raspberrypi #aws #iot

Deploying a custom greengrass component with docker artifacts to a docker containerized greengrass system resulted in this message. Has there been a similar experience by any users?

2024-06-05T19:37:27.868Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: TES responded with status code: 403. Caching response. {"message":"Access Denied"}. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials}
2024-06-05T19:37:27.870Z [ERROR] (pool-3-thread-24) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GreengrassCoreJitpTokenExchangeRoleAlias/credentials, credentialData=TES responded with status code: 403. Caching response. {"message":"Access Denied"}}
Enter fullscreen mode Exit fullscreen mode

The policy associated with the GreengrassCoreJitpTokenExchangeRoleAlias has been verified, included here for reference.

1st Permission Policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

2nd Permission Policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "s3:GetBucketLocation",
                "ecr:*"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Trust Relationships 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "credentials.iot.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode
profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
AWS
 Promoted

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Read next

agbagbarao profile image

Distribution Calculator In Svelte - Hosted on Amazon S3

Omo Agbagbara -

deeheber profile image

AWS Fargate on a Budget

Danielle Heberling -

franciscojeg78 profile image

Power Up Your AWS Game: Create EC2 Instances, Install Apache, and Connect with PowerShell

Francisco Escobar -

admantium profile image

IOT: Dynamic Deep Sleep Configuration for ESP8266 and ESP32 Boards

Sebastian -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay