Access denied to SSM parameter, but policy in place?

0

I'm getting an error in my Lambda function, which calls SSM:

AccessDeniedException: User: arn:aws:sts::redacted:assumed-role/LambdaBackend_master_lambda/SpikeLambda is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:redacted:parameter/default/key/api

But, alas:

λ aws iam get-role --role-name LambdaBackend_master_lambda
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "redacted",
        "CreateDate": "2017-06-23T20:49:37Z",
        "RoleName": "LambdaBackend_master_lambda",
        "Path": "/",
        "Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
    }
}
λ aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
    "PolicyNames": [
        "ssm_read"
    ]
}
λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
    "RoleName": "LambdaBackend_master_lambda",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ssm:DescribeParameters"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ssm:GetParameters"
                ],
                "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
                "Effect": "Allow"
            }
        ]
    },
    "PolicyName": "ssm_read"
}

The policy simulator confirms that ssm_read should have access to that SSM parameter.

I must be doing something wrong?

asked 7 years ago10640 views
5 Answers
0

The policy simulator is a good check for certain AWS APIs but it doesn't support all possible resource-level permissions. Testing with an IAM user is the only way to go.

That being said it's possible the SSM service doesn't support a wildcard ARN as specified. For testing what happens if you replace it with just: "*" or a full parameter name (no wildcard value)?

answered 7 years ago
0

Did you manage to work through this? I have the same error. IAM role is set up correctly - this works from an EC2 instance running code, but not Lambda.

answered 6 years ago
0

It would appear that the GetParameters action is different from the GetParameter action.
I just had to create a whole different policy for my role, because the AWS managed policy, AmazonEC2RoleforSSM only has GetParameters specified, when I feel it should also have the GetParameter action specified, as well.

answered 6 years ago
0

For me the case was, for some reason, I needed the Account ID specified in my ARN on the ssm:GetParameter but not the ssm:PutParameter.

Adding the account ID to the arn in my allow policy sorted it out.

answered 5 years ago
0

Add both and check. This worked for me. I also read that some people have added GetParameter and GetParameters. ssm:GetParametersByPath ssm:GetParameter

Partha
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions