TechQA.

AWSIoT Access denied when trying to get object

20 views Asked by At

I am trying to create an AWS IoT Job, I have followed the pre-requisites here.

The Lambda creating the OTA Job has the required permissions.
But when I get the details of that Job to see why it hasn't been created.

I get:

'Access denied when trying to get object. (Service: AWSIot; Status Code: 401; Error Code: UnauthorizedException; Request ID: 0d20d22e-9d19-46de-a5ba-9a0c02254ab7; Proxy: null)'

Full response on aws iot get-ota-update:

otaUpdateInfo:
  additionalParameters: {}
  awsJobExecutionsRolloutConfig: {}
  awsJobPresignedUrlConfig:
    expiresInSec: 1800
  creationDate: '2024-03-27T11:27:13.385000+05:30'
  description: 'Job Name: VarunJob_26-Mar-24#01'
  errorInfo:
    code: UnauthorizedException
    message: 'Access denied when trying to get object. (Service: AWSIot; Status Code:
      401; Error Code: UnauthorizedException; Request ID: 0d20d22e-9d19-46de-a5ba-9a0c02254ab7;
      Proxy: null)'
  lastModifiedDate: '2024-03-27T11:27:14.154000+05:30'
  otaUpdateArn: arn:aws:iot:us-east-1:account:otaupdate/Ai8JXbggPogk43KdUrEduY
  otaUpdateFiles:
  - codeSigning:
      dummySigningDetails
    fileLocation:
      s3Location:
        bucket: ota-account-dev
        key: users/user_id/firmwareimages/kjdfsjkdflkj/fdsjlkdsfkj.bin
  otaUpdateId: Ai8JXbggPogk43KdUrEduY
  otaUpdateStatus: CREATE_FAILED
  protocols:
  - MQTT
  - HTTP
  targetSelection: SNAPSHOT
  targets:
  - arn:aws:iot:us-east-1:account:thing/Ux96hQsNZWjqynXYD2zfvN

My only guess is that AWS IoT cannot resolve its access to that S3 object.
I have given the required permissions to access S3 in IoT's service role:

Statement:
              - Effect: Allow
                Action:
                  - s3:GetObjectVersion
                  - s3:GetObject
                  - s3:PutObject
                Resource: !Sub
                  - arn:aws:s3:::${OtaImageBucket}/*
                  - OtaImageBucket: !ImportValue OTAFirmwareS3BucketArn

The weird part is that this error is occurring on my staging account.
But it works on my dev account. We use Cloudformation to manage the infrastructure so I know the same resources should be deployed on both ends.

Any help is greatly appreciated.

amazon-web-services amazon-s3 aws-iot aws-iot-core
Original Q&A
1

There are 1 answers

0
Varun Gawande On

Nevermind, turns out I wasn't creating the S3 object ARN right.
With:

Resource: !Sub
                  - arn:aws:s3:::${OtaImageBucket}/*
                  - OtaImageBucket: !ImportValue OTAFirmwareS3BucketArn

My target ARN had arn:aws:s3::: twice.

Fixed that and it worked.

P.S The reason ith worked on my dev env, was that the bucket allowed public access(probably some POC).

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AWS-IOT

Related Questions in AWS-IOT-CORE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions