1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
The ARN of "Resource" may be incorrect.
If you look at the document below, the ARN includes "${Account}".
Also, "ssm:DescribeParameters" cannot restrict resource sections.
https://docs.aws.amazon.com/ja_jp/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-parameter
arn:${Partition}:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}
So why not include your AWS account ID as shown below?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-2:AWS-Account-ID:parameter/*"
},
{
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "*"
}
]
}
Relevant content
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
That seems to have worked, although I now have another issue. Thank you for your assistance with this!