AWS Greengrass Quickstart Docs - Invalid Token Error

Question

Following the AWS Greengrass Quickstart Docs Install the AWS IoT Greengrass Core software step 5 leads to the error :

The security token included in the request is invalid

I have tried:

• with both my normal creds, temporary creds (as recommended),
• created new secret keys and retried normal and temporary creds,
• tried in both v1 and v2 of Greengrass
• I have tested the "export AWS_..." variables set to make sure they are properly set.

I just dont understand what is happening in GreengrassCore to try to debug if this is something with my user credentials or if something is breaking in the script itself. If it hadn't been for running into so many AWS tutorials and "Quickstarts" that were broken out of the box, outdated, and wrong I would just assume I'm doing something wrong but at this point I was wondering if anyone has been able to get this to work or if they could give me any additional insight of the security token...is invalid message when I have tried using credentials from the "My Security Credentials" and from aws sts get-session-token --duration-seconds 129600 repeatedly.

Thanks for any and all insights.

Answer 1

Greengrass uses the provided credentials to perform all cloud operations to provision the device, certificate, IoT policy, IoT role alias, and also an IAM role with permissions.

I've found that temporary credentials, even those with fully admin access, may not work in certain contexts. Can you try provisioning with an IAM user's set of credentials and temporarily with the AdministratorAccess IAM policy (you can remove after Greengrass has successfully provisioned).

If you want to be more specific, you can create an minimal IAM policy from here. Those are needed permissions in the credentials provided to Greengrass to complete provisioning.

You might want to review the Greengrass v2 workshop let's begin section. It covers the same as the AWS documentation but might explain things in a different way.