3 Answers
- Newest
- Most votes
- Most comments
1
What does your Lambda role's policy look like? As per https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html there is an ssm:SendCommand policy action that can be applied to * or to specific resources including document which is a required resource type. Are you missing this in your policy?
0
In addition to ssm:SendMessage you will also need add another policy statement for ssmmessages
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:CreateControlChannel"
],
"Resource": "*"
}
The SSM Messages endpoint is used for API operations with Systems Manager.
answered 2 years ago
I tried this too and it did not help. Get the following error:
AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/abc/xyz is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:SendCommand action
0
Turned out to be a silly mistake. I was adding the {AWS::AccountId}
to the document
resource. It did not need it
Resource:
- !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:document/AWS-RunPowerShellScript"
Should have been
Resource:
- !Sub "arn:aws:ssm:${AWS::Region}::document/AWS-RunPowerShellScript"
answered 2 years ago
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
duh! I thought I had posted the Policy as well. Updated the post to include it.