Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Access denied to SSM parameter, but policy in place?

0

I'm getting an error in my Lambda function, which calls SSM:

AccessDeniedException: User: arn:aws:sts::redacted:assumed-role/LambdaBackend_master_lambda/SpikeLambda is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:redacted:parameter/default/key/api

But, alas:

λ aws iam get-role --role-name LambdaBackend_master_lambda
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "redacted",
        "CreateDate": "2017-06-23T20:49:37Z",
        "RoleName": "LambdaBackend_master_lambda",
        "Path": "/",
        "Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
    }
}
λ aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
    "PolicyNames": [
        "ssm_read"
    ]
}
λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
    "RoleName": "LambdaBackend_master_lambda",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ssm:DescribeParameters"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ssm:GetParameters"
                ],
                "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
                "Effect": "Allow"
            }
        ]
    },
    "PolicyName": "ssm_read"
}

The policy simulator confirms that ssm_read should have access to that SSM parameter.

I must be doing something wrong?

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access Management
Sprache
English
mystified_of_ldn
gefragt vor 7 Jahren11062 Aufrufe
5 Antworten
0

The policy simulator is a good check for certain AWS APIs but it doesn't support all possible resource-level permissions. Testing with an IAM user is the only way to go.

That being said it's possible the SSM service doesn't support a wildcard ARN as specified. For testing what happens if you replace it with just: "*" or a full parameter name (no wildcard value)?

eldiablopotato
beantwortet vor 7 Jahren
0

Did you manage to work through this? I have the same error. IAM role is set up correctly - this works from an EC2 instance running code, but not Lambda.

hagendit
beantwortet vor 6 Jahren
0

It would appear that the GetParameters action is different from the GetParameter action.
I just had to create a whole different policy for my role, because the AWS managed policy, AmazonEC2RoleforSSM only has GetParameters specified, when I feel it should also have the GetParameter action specified, as well.

danielgreeninger
beantwortet vor 6 Jahren
0

For me the case was, for some reason, I needed the Account ID specified in my ARN on the ssm:GetParameter but not the ssm:PutParameter.

Adding the account ID to the arn in my allow policy sorted it out.

hussfelt
beantwortet vor 6 Jahren
0

Add both and check. This worked for me. I also read that some people have added GetParameter and GetParameters. ssm:GetParametersByPath ssm:GetParameter

Partha
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt