- Newest
- Most votes
- Most comments
Make sure your lambda function execution role has sufficient permissions for resources that lambda is going to access.
From the error message, first thing I'd check that your lambda function execution role "pm2supplier-stack-AspNetCoreFunctionRole" has following permissions:
"Effect": "Allow" Action: "ssm:GetParametersByPath" Resource: "arn:aws:ssm:eu-west-2:074xxxxxxxxx:parameter/PM2AWSLambda/"
This is always best practice to follow the least privilege model, but you can first eliminate the error by following policy(giving all GetParameter type access to your lambda execution role ) and then further trim it down to actions, what are actually/exactly required:
"Effect": "Allow" "Action": ["ssm:GetParameter*"] Resource: "arn:aws:ssm:eu-west-2:074xxxxxxxxx:parameter/PM2AWSLambda/"
From the error message, it seems that lambda function execution role requires this permission in one of it's IAM policy but that's not provided anywhere explicitly, which is why this error is coming.
Hope this helps.
Abhishek
When you create a Lambda function you need to give it an execution role. That role should include, in addition to basic permissions for CloudWatch Logs, also permissions to read from SSM. When you run it locally, it uses different permissions than what you assign to the function. This is why we recommend debugging locally, but running integration tests in the cloud.
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 9 days ago