Executing create-greengrass-config.py from Cloud9 environment is failing to sign the required URLs

[shirkeyaws]

ec2-user:~/environment/GG-Edge-Inference/1-greengrass-configuration (master) $ python3 create-greengrass-config.py --create-group ml-edge-workshop --bucket ml-edge-workshop-lab-1 --function ml-edge-workshop-lab-1 Creating IAM role for Greengrass Traceback (most recent call last): File "create-greengrass-config.py", line 294, in state = create_group(args.group_name, args.bucket) File "create-greengrass-config.py", line 182, in create_group role, role_policy = create_gg_role(bucket, certificate['certificateArn'][-10:]) File "create-greengrass-config.py", line 125, in create_gg_role AssumeRolePolicyDocument=json.dumps(assume_role_document) File "/opt/c9/python3/local/lib/python3.6/dist-packages/botocore/client.py", line 314, in _api_call return self._make_api_call(operation_name, kwargs) File "/opt/c9/python3/local/lib/python3.6/dist-packages/botocore/client.py", line 612, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CreateRole operation: The security token included in the request is invalid

[shirkeyaws]

Root Cause: Cloud9 is generating (and regenerating) a set of credentials for the ec2-user in ~/.aws/credentials, preventing the EC2 instance from inheriting permissions from the IAM role assigned to the instance itself

ec2-user:~/environment/GG-Edge-Inference/1-greengrass-configuration (master) $ aws iam create-role --role-name ml-edge-workshop-inference --assume-role-policy-document file://policy_ml-edge-workshop-inference.json --debug --output json 2>&1 | grep credentials
2018-06-09 05:21:06,136 - MainThread - botocore.session - DEBUG - Loading variable credentials_file from defaults.
2018-06-09 05:21:06,162 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2018-06-09 05:21:06,162 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2018-06-09 05:21:06,163 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2018-06-09 05:21:06,163 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
ec2-user:~/environment/GG-Edge-Inference/1-greengrass-configuration (master) $ cat /home/ec2-user/.aws/credentials
# Do not modify this file, if this file is modified it will not be updated. If the file is deleted, it will be recreated on Sat Jun 09 2018 05:25:50 GMT+0000 (UTC).
# 0dc64730640e2017a6bb57a97ff5c75f1096082cabddc2af484fe322b7cfed14 #

[default]
aws_access_key_id=ASIAI7B5G7CY4SWHTOEA
aws_secret_access_key=bNdpSuSfaoBwWX96DWlKg0fGyRMWr3lT13f4QSLo
aws_session_token=FQoDYXdzEOb//////////wEaDJB4OZFT5ocz3hEX2iLVA9k927QRNfjORmWjOXybuzBTZG8Zj2Hmpxk4TiccZfUgMPPglhMHIp1LTPBTDCGDsDNhOTmICYoQdMd1fdmDpAagC6tjvWT+TutNonPyB74fmRT1RGo5w6GYpJxUKh3X+Y9QedmK6wN5gX9BqmT/OxB20J5pN/F/KAz6d4zQFOHyXGpCU74eSKdQk3pgtpNJMe9hbeC9x23VYfx8hzlvyitjPEf/X7N80mhrID1NjbCtU40Mb0eTqt1UfB1z5X2Q7LcjXnsvOaUoeVqkYR+ItvYCTlXnEuMgbjKBmIjH+IWeOZF9A+dBkxgM7XuHUB0zWyJwcOpCUc9rLjt0lYQL0S4kJYog2VbvVnsG8HgFpKs+7AJULOxPhJFsTZ4aMY+GjbYlok2shPBulaJbqsWaI+jqxu2q+iiqFbWzLeLXUe7d1BJiniCSm21RBJfiUqmncIAbIa37IAk9oqKfA5s+Uz3vX/9EaJCrWV0NTgDsyd7GiyPzVZGfZ43AQp5Cn569TaKrDSLW/i9rHjTnkZT7Esi6Gz9GJMSH3D0qyLrPB40MUZng6DjSEzmAHploUzvYrAldP0e1rhxNHdmICfcp7gFtQuHSSHKzay14737Vm8Nh7zq6J4co17Dt2AU=
region=us-east-1
ec2-user:~/environment/GG-Edge-Inference/1-greengrass-configuration (master) $ sudo rm /home/ec2-user/.aws/credentials
ec2-user:~/environment/GG-Edge-Inference/1-greengrass-configuration (master) $ cat /home/ec2-user/.aws/credentials# Do not modify this file, if this file is modified it will not be updated. If the file is deleted, it will be recreated on Sat Jun 09 2018 05:26:40 GMT+0000 (UTC).
# d7b41e3e02e8f2b5f7d26700886e297e7cb983d6df359bdbd2084b71ec13dd0c #

[default]
aws_access_key_id=ASIAJUH2WARA3BTJL6IA
aws_secret_access_key=VgutbB66AMfy/BdSjWcoMZ5W3UouCXYCwfb1/CL0
aws_session_token=FQoDYXdzEOb//////////wEaDA844MsB8ZZ+VIT1+SLVAxFUBx1tXwlA4MOUIYjfx6pVyrOhz4xPaYYM6X6RzMXkBADJif2V309UPp0ze18R+HrRoFg7rdXOD85QQiLhKdYsSf/Yvyl6ZCsEMs+zo8u3khOzpdmignCu2wF8XH76MtCcfUnvt6t2+59hI3Egw454/eMo395O+RlGz3Bhl/M8RZ1Gk0UOvmK85NBE9y2p2RpkoXRDrtkqaiMGq7Uksxc9Sk1AP+LSKR/XVcWWlG/KZVJxPgJc1Mk5ylzBDkuWjH+UG+smyK2HNYuj5aeGLILkBrBFnIOlVLX72O9tgPoDA/UpU3XnF4ZleqzhZvsxIEpa71Bqh/unMjnPBv8zTT5cOUkraoOgZfPootdBVyeKwa16s4skdDMoJbuUwWT/XUp+hGiS02CDBfLrjHTc2koxFbnNygynmjLs8+6Gsp38ugtS6vBhZzlG3QxVR0gMs7UnQfffRP/XYttIoWu8AHCoqcFTV1ykjkUYJlLcSdlTSB8WsTrkMyrA0pb6bilZiSaIxaLl1jdQOKwxTfjnb5jmrh3VlUL2exKLsrWHNXrIVlYvW+HmcSKtH//jLuN8TuML8j5fWzHCm4upoi1rEJBZqc5KMbyCNmoDWTIU+TYD9yh8PMoo17Dt2AU=

[shirkeyaws]

Workaround 1: Run same commands as root, which will inherit the IAM role for the EC2 instance

ec2-user:~/environment/GG-Edge-Inference/1-greengrass-configuration (master) $ sudo -i
[root@ip-172-31-36-250 ~]# cd /home/ec2-user/environment/GG-Edge-Inference/1-greengrass-configuration/
[root@ip-172-31-36-250 1-greengrass-configuration]# export PATH=/opt/c9/python3/bin:$PATH
[root@ip-172-31-36-250 1-greengrass-configuration]# which python3
/opt/c9/python3/bin/python3
[root@ip-172-31-36-250 1-greengrass-configuration]# aws configure
AWS Access Key ID [None]: 
AWS Secret Access Key [None]: 
Default region name [None]: us-east-1
Default output format [None]: 
[root@ip-172-31-36-250 1-greengrass-configuration]# python3 create-greengrass-config.py --create-group ml-edge-workshop --bucket ml-edge-workshop-lab-1 --function ml-edge-workshop-lab-1
Creating IAM role for Greengrass
Generating configuration package
Configuration and certificates generated: certificates.zip
Resources created, install the package on your device.
[root@ip-172-31-36-250 1-greengrass-configuration]# 

[shirkeyaws]

Workaround 2: within Cloud9 Settings (accessed via the gear icon on upper right), under AWS Settings section, turn off the AWS Managed Temporary Credentials, then run the same commands