Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

PutParameter Permission Error

0

Hi,

I'm trying to run this command in powershell in my Microsoft EC2 instance: aws ssm put-parameter --name "WindowsAgentConfig" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering

However I'm getting the following error: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig because no identity-based policy allows the ssm:PutParameter action

I checked my AIM Role for permissions and I see this: This policy is attached to the role I'm using

For that same role I also use the folowing policies:

  • CloudWatchAgentServerPolicy
  • AmazonSSMManagedInstanceCore

Is there something obvious I'm doing wrong here? Any help will be very appreciated.

Adrian.

Temas
Gestión y gobiernoSeguridad, identidad y cumplimiento
Etiquetas
AWS Management ConsoleAWS Systems ManagerPolíticas de IAM
Idioma
English
apachecoq
preguntada hace un año1220 visualizaciones
1 Respuesta
0

Hi, could be the resource. It’s complaining about “ arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig” but your expression is “ arn:aws:ssm:us-east-1:480607316411:parameter/Amazon-Cloudwatch..”

Can you try with “ arn:aws:ssm:us-east-1:480607316411:parameter/*” as test?

profile picture
EXPERTO
Antonio_Lagrotteria
respondido hace un año
EXPERTO
skinsman
revisado hace un año
  • apachecoq
    hace un año

    Sorry, I'm quite inexperienced with this and I'm not sure I follow. I tried the following:

    aws ssm put-parameter --name "*" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering

    But got a similar response: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/* because no identity-based policy allows the ssm:PutParameter action

    I'm sure I'm not doing what you suggested the right way

  • skinsman EXPERTO
    hace un año

    What @alatech suggested is replacing the "Resource": " arn:aws:ssm:::parameter/AmazonCloudWatch-* " in your policy with "Resource": " arn:aws:ssm:::parameter/* ". Currently it won't match your "WindowsAgentConfig" parameter so you effectively have no Allow statements for your specific PutParameter call.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante