Menu
I'm getting an error in my Lambda function, which calls SSM:
AccessDeniedException: User: arn:aws:sts::redacted:assumed-role/LambdaBackend_master_lambda/SpikeLambda is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:redacted:parameter/default/key/api
However, I'm pretty sure I configured this correctly:
Role, with AssumeRole for Lambda (although we know that works from the error message).
λ aws iam get-role --role-name LambdaBackend_master_lambda { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ] }, "RoleId": "redacted", "CreateDate": "2017-06-23T20:49:37Z", "RoleName": "LambdaBackend_master_lambda", "Path": "/", "Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda" } } And my policy:
λ aws iam list-role-policies --role-name LambdaBackend_master_lambda { "PolicyNames": [ "ssm_read" ] } λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read { "RoleName": "LambdaBackend_master_lambda", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:DescribeParameters" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*", "Effect": "Allow" } ] }, "PolicyName": "ssm_read" } I've run it through the policy simulator and it seems to be fine!
874
To have your Lambda function assume an IAM role in another AWS account, do the following: Configure your Lambda function's execution role to allow the function to assume an IAM role in another AWS account. Modify your cross-account IAM role's trust policy to allow your Lambda function to assume the role.
If the permissions between a Lambda function and an Amazon S3 bucket are incomplete or incorrect, then Lambda returns an Access Denied error.
Which gave the account CMK (Customer Master Key) permission to decrypt the key, but still same error. The permission boundary does not grant any access, so you still need to have a policy that allows access to ssm:GetParameters .
Attach the IAM policy to an IAM roleNavigate to the IAM console and choose Roles in the navigation pane. Choose Create role. Choose AWS service and then choose Lambda. Choose Next: Permissions.
Played around with this today and got the following, dropping the s from ssm:GetParameters and using ssm:GetParameter seems to work when using the GetParameter action. ie AWS_PROFILE=pstore aws ssm get-parameter --name param_name. This weirded me out a bit because I cannot find this at all in the iam action docs here. However it does seem to work, and ssm is still a bit under documented. Amazon has updated and moved it's docs. The new docs incude both ssm:GetParameters and ssm:GetParameter.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:DescribeParameters" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*", "Effect": "Allow" } ] } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
