PutParameter Permission Error
Hi,
I'm trying to run this command in powershell in my Microsoft EC2 instance: aws ssm put-parameter --name "WindowsAgentConfig" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering
However I'm getting the following error: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig because no identity-based policy allows the ssm:PutParameter action
I checked my AIM Role for permissions and I see this:
For that same role I also use the folowing policies:
- CloudWatchAgentServerPolicy
- AmazonSSMManagedInstanceCore
Is there something obvious I'm doing wrong here? Any help will be very appreciated.
Adrian.
- 最新
- 最多得票
- 最多評論
Hi, could be the resource. It’s complaining about “ arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig” but your expression is “ arn:aws:ssm:us-east-1:480607316411:parameter/Amazon-Cloudwatch..”
Can you try with “ arn:aws:ssm:us-east-1:480607316411:parameter/*” as test?
Sorry, I'm quite inexperienced with this and I'm not sure I follow. I tried the following:
aws ssm put-parameter --name "*" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering
But got a similar response: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/* because no identity-based policy allows the ssm:PutParameter action
I'm sure I'm not doing what you suggested the right way
What @alatech suggested is replacing the "Resource": " arn:aws:ssm:::parameter/AmazonCloudWatch-* " in your policy with "Resource": " arn:aws:ssm:::parameter/* ". Currently it won't match your "WindowsAgentConfig" parameter so you effectively have no Allow statements for your specific PutParameter call.