Following the AWS Greengrass Quickstart Docs
Install the AWS IoT Greengrass Core software step 5 leads to the error :
The security token included in the request is invalid
I have tried:
with both my normal creds, temporary creds (as recommended),
created new secret keys and retried normal and temporary creds,
tried in both v1 and v2 of Greengrass
I have tested the "export AWS_..." variables set to make sure they are properly set.
I just dont understand what is happening in GreengrassCore to try to debug if this is something with my user credentials or if something is breaking in the script itself. If it hadn't been for running into so many AWS tutorials and "Quickstarts" that were broken out of the box, outdated, and wrong I would just assume I'm doing something wrong but at this point I was wondering if anyone has been able to get this to work or if they could give me any additional insight of the security token...is invalid message when I have tried using credentials from the "My Security Credentials" and from aws sts get-session-token --duration-seconds 129600 repeatedly.
Thanks for any and all insights.
Greengrass uses the provided credentials to perform all cloud operations to provision the device, certificate, IoT policy, IoT role alias, and also an IAM role with permissions.
I've found that temporary credentials, even those with fully admin access, may not work in certain contexts. Can you try provisioning with an IAM user's set of credentials and temporarily with the AdministratorAccess IAM policy (you can remove after Greengrass has successfully provisioned).
If you want to be more specific, you can create an minimal IAM policy from here. Those are needed permissions in the credentials provided to Greengrass to complete provisioning.
You might want to review the Greengrass v2 workshop let's begin section. It covers the same as the AWS documentation but might explain things in a different way.
Related
previously I had been able to deploy my lambda functions without any problems on my own AWS account. Now, I need to deploy them on to a different AWS account where my IAM user has an AdministratorAccess permission.
I've set up a role/policies for invoking lambdas the same way I did for my account. Before I deployed my code with terraform, I checked the console page for AWS lambda , and this error pops up.
Any idea why I still don't have enough permissions to access lambda even with my AdministratorAccess policy attached to my user?. Do I still need to add more policies to my user in order to access Lambda?
I have faced the same issue. You need to contact AWS to unlock your access as your account has been locked due to potentially dangerous activity.
I recommend you to enable MFA and use an IAM user to log in to AWS console instead of root user.
AdministratorAccess is definitely enough to view the Lambda console.
Do you have CLI access setup for this user? You could try running the list-functions CLI command to confirm that you user is setup as expected, as this uses the same API call that the web console is performing for you.
I have faced the same issue, after checking this post I checked my mailbox. AWS asked my to verify my account by sending utility bills picture and address information. I did it and everything is back to normal now.
I want an IAM user to have read/List access and start/stop access to AWS workspaces. Hence I've created a simple IAM policy which grants all read and list actions.
but this was not enough. I was displayed with an error message An Error Has Occurred There was an error retrieving information about your WorkSpaces. Upon investigating cloudtrail, I found that the user need read/list permissions to KMS and AWSDirectory Service. Hence granted that too but when I login again, I still see the same error. Even tried attaching EC2 full access too but still the same error. Is this a potential bug?
The same issue has been discussed in AWS forum too but no resolution there.
https://forums.aws.amazon.com/thread.jspa?threadID=236408
KMS policy and Directory service policy below.
DS:
KMS:
Error Screenshot:
I've found the solution for this. AWS has bizarre limitation where if you want to access workspaces via console, then you need to give full access (workspaces:*) only. Below is a screenshot from the document that states this. Highly disappointed with AWS regarding this limitation.
https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html
Have you tried a policy similar to the one in the documentation. It includes some services in addition to the once you have tried already.
I am trying to make a connection between AWS IoT and my React JS APP.
I followed this tutorial (https://medium.com/serverlessguru/serverless-real-time-reactjs-app-aws-iot-mqtt-17d023954045), and it is not clear to me how to attach the Cognito Identity ID to the AWS IoT Policy.
During all my investigation, I found that this process must be done through command line.
In the article above, theses process is done by the following command line:
• Note that the “identity_pool_id” has to be considered in this command.
In the aws documentation (https://aws-amplify.github.io/docs/js/pubsub), it says to write the “identity_id” in the command line:
When I use the “identity_pool_id” in the command line, and I try to publish a message from AWS IoT, I got the following error:
When I use the “identity_id” in the command line, I can perform the communication between AWS IoT and the Frontend successfully:
The problem is that the “identity_id” is a different code for each user. Considering that I am going to have a lot of user in my application I don’t know how to perform this task.
• Am I doing the right process to consider the “identity_id” instead of “identity_pool_id”?
• If yes, how could I automatically attach the Cognito ID to the AWS IoT Policy every time I have a new user signedIn in my application?
• Are there any problem to have thousands of Cognito certificates attached in a AWS IoT Policy?
Following answer is in chronological order corresponding to 3 questions.
You can attach only identity_id (user) to IoT policy. Also, I can see you have used "attach-principal-policy" API which is deprecated now, so instead of that please use AttachPolicy API
I'm unsure here, still I'd recommend to evaluate and verify it on Cognito's post confirmation trigger
Absolutely right, you can attach a IoT policy to myriad of certificates; technically it is known as Simplified Permission Management
For #3, Relevant Snippet from AWS (Ref - https://aws.amazon.com/iot-core/faqs/ where find Q. What is Simplified Permission Management?)
"You can share a single generic policy for multiple devices. A generic policy can be shared among the same category of devices instead of creating a unique policy per device. For example, a policy that references the “serial-number” as a variable, can be attached to all the devices of the same model. When devices of the same serial number connect, policy variables will be automatically substituted by their serial-number."
How to configure the credential to use AWS service from inside the EKS. I can not use AWS SDK for this specific purpose. I have mentioned a role with required permission in the yaml file but it does not seem like it is picking up the role.
ThankYou
Any help is appreciated.
Typically you'd want to apply some level of logic to allow the pods themselves to obtain IAM credentials from STS. AWS does not currently (its re:Invent now so you never know) provide a native-way to do this. The two community solutions we've implemented are:
kube2IAM: https://github.com/jtblin/kube2iam
kIAM: https://github.com/uswitch/kiam
Both work well in production/large environments in my experience. I prefer kIAM's security model, but both get the job done.
Essentially the work the same basic way ... intercepting (for lack of a better word) communications b/t the SDK libraries in the container and STS, matching identity of the pod with an internal role dictionary, and then obtaining STS credentials for that role and handing those creds back to the container. The SDK isn't inherently aware its in a container, its just doing what it does anywhere ... walking its access tree until it sees the need to obtain creds from STS and receiving those.
I am using an MQTT client in JavaScript (paho-mqtt-js) to connect to an AWS IoT endpoint and I am able to connect if I use my own AWS credentials.
However, if I use credentials generated by Cognito for a logged in user I am unable to do so. My Cognito authorised role in IAM has a policy of "AWSIoTFullAccess" attached to it so I am confused as to why these credentials return a 403 error each time.
Any help with regard to this would be greatly appreciated.
Encountered similar problem when dealing with Federated identity. Some tips to resolve the problem:
Please use the cloudwatch logs to figure out the problems it was very handy.
Also look at the cloudwatch logs with topic name ending with _CognitoIdentityCredentials
Using the appropriate session tokens
Use AWS CLI and execute attach-principal-policy to try out manually.
Please refer to this link https://github.com/alfonsodev/aws-iot-example/blob/master/index.js to run locally with nodejs to troubleshoot the issue.
Please use attach principal policy. This link http://techqa.info/programming/question/40301345/connect-to-AWS-IoT-using-web-socket-with-Cognito-authenticated-users was very helpful for integration
Hope this helps!
Check your AWS IoT policies. You'll also need an AWS IoT policy for your Cognito identity in addition to the policy you've attached to the IAM Role. See the docs here:
https://docs.aws.amazon.com/iot/latest/developerguide/authorization.html