Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

PutParameter Permission Error

0

Hi,

I'm trying to run this command in powershell in my Microsoft EC2 instance: aws ssm put-parameter --name "WindowsAgentConfig" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering

However I'm getting the following error: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig because no identity-based policy allows the ssm:PutParameter action

I checked my AIM Role for permissions and I see this: This policy is attached to the role I'm using

For that same role I also use the folowing policies:

  • CloudWatchAgentServerPolicy
  • AmazonSSMManagedInstanceCore

Is there something obvious I'm doing wrong here? Any help will be very appreciated.

Adrian.

Argomenti
Gestione e amministrazioneSicurezza, identità e conformità
Tag
Console di gestione AWSGestore dei sistemi AWSPolitiche IAM
Lingua
English
apachecoq
posta un anno fa1220 visualizzazioni
1 Risposta
0

Hi, could be the resource. It’s complaining about “ arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig” but your expression is “ arn:aws:ssm:us-east-1:480607316411:parameter/Amazon-Cloudwatch..”

Can you try with “ arn:aws:ssm:us-east-1:480607316411:parameter/*” as test?

profile picture
ESPERTO
Antonio_Lagrotteria
con risposta un anno fa
ESPERTO
skinsman
verificato un anno fa
  • apachecoq
    un anno fa

    Sorry, I'm quite inexperienced with this and I'm not sure I follow. I tried the following:

    aws ssm put-parameter --name "*" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering

    But got a similar response: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/* because no identity-based policy allows the ssm:PutParameter action

    I'm sure I'm not doing what you suggested the right way

  • skinsman ESPERTO
    un anno fa

    What @alatech suggested is replacing the "Resource": " arn:aws:ssm:::parameter/AmazonCloudWatch-* " in your policy with "Resource": " arn:aws:ssm:::parameter/* ". Currently it won't match your "WindowsAgentConfig" parameter so you effectively have no Allow statements for your specific PutParameter call.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente