While running IDT for my custom gateway device, I got the following error for StreamManager component testcase:

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXXXXXXXXXXXXXX S3 Extended Request ID: XXXXXXXXXXXXXXX=; Proxy: null). {scriptName=services.aws.greengrass.StreamManager.lifecycle.startup.script, serviceName=aws.greengrass.StreamManager, currentState=RUNNING} 

IDT script is creating the roles and s3 buckets on the fly. So its not east to debug via aws console. So I checked cloudtrail. But it seems data events (s3 upload) is not logged in cloudtrail. How can I investigate further without enabling data logging in cloudtrail (I do not have administrator access)?

CodePudding user response：

You might see this error when an over-the-air (OTA) update fails. In the signer role policy, add the target AWS Region as a Resource. This signer role is used to presign the S3 URL for the AWS IoT Greengrass software update. For more information, see S3 URL signer role.

Ref: https://docs.aws.amazon.com/greengrass/v1/developerguide/security_iam_troubleshoot.html#troubleshoot-ota-region-access

CodePudding user response：

Even though the user had all the adequate permissions, streammanager test case was failing with "Access Denied" error. I ran IDT again after copying the aws credentials files to the device under test. Then all the test cases passed. I am assuming that the java code in streammanager test case was not able to get the credentials from env variables.