By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

No identity-based policy allows the ssm:SendCommand action

1

Hello there, I have a Lambda that is trying to move a file from S3 to a Windows EC2 instance. I am using ssm to do it. When I get granular with the perms I get the following error:

2022-04-19T20:32:15.502Z	5737b35c-6d81-471f-b29c-3fd23f1a5123	INFO	AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/userxyz is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:SendCommand action

If I attached the AmazonSSMFullAccess policy to the IAM Role, it works. Which other perm do I need to add so that I do not grant the very permissible managed policy?

Edit: Forgot to attach the policy

 {
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": [
                "arn:aws:ssm:*:xxx:document/*",
                "arn:aws:ec2:*:xxx:instance/*"
            ]
        }
Topics
ServerlessComputeSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS LambdaAWS Identity and Access ManagementAWS Systems Manager
Language
English
mithun_daa
asked 2 years ago10998 views
3 Answers
1

What does your Lambda role's policy look like? As per https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html there is an ssm:SendCommand policy action that can be applied to * or to specific resources including document which is a required resource type. Are you missing this in your policy?

EXPERT
skinsman
answered 2 years ago
  • mithun_daa
    2 years ago

    duh! I thought I had posted the Policy as well. Updated the post to include it.

0

In addition to ssm:SendMessage you will also need add another policy statement for ssmmessages

{
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:CreateControlChannel"
            ],
            "Resource": "*"
}

The SSM Messages endpoint is used for API operations with Systems Manager.

AWS
ganesh
answered 2 years ago
  • mithun_daa
    2 years ago

    I tried this too and it did not help. Get the following error:

    AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/abc/xyz is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:SendCommand action
0

Turned out to be a silly mistake. I was adding the {AWS::AccountId} to the document resource. It did not need it

 Resource:
              - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:document/AWS-RunPowerShellScript"

Should have been

 Resource:
              - !Sub "arn:aws:ssm:${AWS::Region}::document/AWS-RunPowerShellScript"
mithun_daa
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content