By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

PutParameter Permission Error

0

Hi,

I'm trying to run this command in powershell in my Microsoft EC2 instance: aws ssm put-parameter --name "WindowsAgentConfig" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering

However I'm getting the following error: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig because no identity-based policy allows the ssm:PutParameter action

I checked my AIM Role for permissions and I see this: This policy is attached to the role I'm using

For that same role I also use the folowing policies:

  • CloudWatchAgentServerPolicy
  • AmazonSSMManagedInstanceCore

Is there something obvious I'm doing wrong here? Any help will be very appreciated.

Adrian.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Management ConsoleAWS Systems ManagerIAM Policies
Language
English
apachecoq
asked a year ago1173 views
1 Answer
0

Hi, could be the resource. It’s complaining about “ arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig” but your expression is “ arn:aws:ssm:us-east-1:480607316411:parameter/Amazon-Cloudwatch..”

Can you try with “ arn:aws:ssm:us-east-1:480607316411:parameter/*” as test?

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
EXPERT
skinsman
reviewed a year ago
  • apachecoq
    a year ago

    Sorry, I'm quite inexperienced with this and I'm not sure I follow. I tried the following:

    aws ssm put-parameter --name "*" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering

    But got a similar response: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/* because no identity-based policy allows the ssm:PutParameter action

    I'm sure I'm not doing what you suggested the right way

  • skinsman EXPERT
    a year ago

    What @alatech suggested is replacing the "Resource": " arn:aws:ssm:::parameter/AmazonCloudWatch-* " in your policy with "Resource": " arn:aws:ssm:::parameter/* ". Currently it won't match your "WindowsAgentConfig" parameter so you effectively have no Allow statements for your specific PutParameter call.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content