- Newest
- Most votes
- Most comments
The policy simulator is a good check for certain AWS APIs but it doesn't support all possible resource-level permissions. Testing with an IAM user is the only way to go.
That being said it's possible the SSM service doesn't support a wildcard ARN as specified. For testing what happens if you replace it with just: "*" or a full parameter name (no wildcard value)?
Did you manage to work through this? I have the same error. IAM role is set up correctly - this works from an EC2 instance running code, but not Lambda.
It would appear that the GetParameters action is different from the GetParameter action.
I just had to create a whole different policy for my role, because the AWS managed policy, AmazonEC2RoleforSSM only has GetParameters specified, when I feel it should also have the GetParameter action specified, as well.
For me the case was, for some reason, I needed the Account ID specified in my ARN on the ssm:GetParameter but not the ssm:PutParameter.
Adding the account ID to the arn in my allow policy sorted it out.
Add both and check. This worked for me. I also read that some people have added GetParameter and GetParameters. ssm:GetParametersByPath ssm:GetParameter
Relevant content
- asked 3 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago