Integration problem AWS-TTN after updating stack template

Hi,
I update my AWS IoT integration with TTN in the CloudFormation service following the steps in Update | The Things Stack for LoRaWAN (thethingsindustries.com) to update the template to the last version. The update went well and all resources were updated, but after that TTN started throwing an error when sending Uplink messages to AWS, it says:

data": {
    "@type": "type.googleapis.com/ttn.lorawan.v3.ErrorDetails",
    "namespace": "pkg/applicationserver/io/packages/awsiot",
    "name": "describe_endpoint",
    "message_format": "describe endpoint: {message}",
    "attributes": {
      "message": "User: arn:aws:sts::678672909819:assumed-role/nam1-routing-services-ApplicationServerTaskRole-DIE6LO93JOOW/5868f8a1b00a4930ba62e9312a82a942 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::342307600488:role/SWM-TTN-App-TheThingsStackRoleCD9FBAD2-UVZMC3EEQ7B4"
    },

In this error I noticed that this role:

arn:aws:iam::342307600488:role/SWM-TTN-App-TheThingsStackRoleCD9FBAD2-UVZMC3EEQ7B4

was the new one created with the updated, but it seems like TTN was trying to connect to AWS with the old role which it had before making the update. I even verify in the AWS IoT Integrgation in TTN that the role configurated was the new one, but it continued throwing the same error.

Solution: I had to allow the permission “sts:AssumeRole” for the old role in the “Trusted entitties” of the new role:

 {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::678672909819:role/nam1-routing-services-ApplicationServerTaskRole-DIE6LO93JOOW"
            },
            "Action": "sts:AssumeRole"
        }

And this solved the problem, but I don’t know why the integration is not being updated in TTN, has anyone had this problem. I would like to understand what happened there.

1 Like

Triple posting is not helpful.

Please format JSON, code & debug output using the </>

1 Like