Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

No identity-based policy allows the ssm:SendCommand action

1

Hello there, I have a Lambda that is trying to move a file from S3 to a Windows EC2 instance. I am using ssm to do it. When I get granular with the perms I get the following error:

2022-04-19T20:32:15.502Z	5737b35c-6d81-471f-b29c-3fd23f1a5123	INFO	AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/userxyz is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:SendCommand action

If I attached the AmazonSSMFullAccess policy to the IAM Role, it works. Which other perm do I need to add so that I do not grant the very permissible managed policy?

Edit: Forgot to attach the policy

 {
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": [
                "arn:aws:ssm:*:xxx:document/*",
                "arn:aws:ec2:*:xxx:instance/*"
            ]
        }
Themen
ServerlosKalkulationSicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS LambdaAWS Identity and Access ManagementAWS Systemmanager
Sprache
English
mithun_daa
gefragt vor 2 Jahren11124 Aufrufe
3 Antworten
1

What does your Lambda role's policy look like? As per https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html there is an ssm:SendCommand policy action that can be applied to * or to specific resources including document which is a required resource type. Are you missing this in your policy?

EXPERTE
skinsman
beantwortet vor 2 Jahren
  • mithun_daa
    vor 2 Jahren

    duh! I thought I had posted the Policy as well. Updated the post to include it.

0

In addition to ssm:SendMessage you will also need add another policy statement for ssmmessages

{
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:CreateControlChannel"
            ],
            "Resource": "*"
}

The SSM Messages endpoint is used for API operations with Systems Manager.

AWS
ganesh
beantwortet vor 2 Jahren
  • mithun_daa
    vor 2 Jahren

    I tried this too and it did not help. Get the following error:

    AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/abc/xyz is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:SendCommand action
0

Turned out to be a silly mistake. I was adding the {AWS::AccountId} to the document resource. It did not need it

 Resource:
              - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:document/AWS-RunPowerShellScript"

Should have been

 Resource:
              - !Sub "arn:aws:ssm:${AWS::Region}::document/AWS-RunPowerShellScript"
mithun_daa
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt