Scenario: One of our scripts uses boto3 kms api to PUT and GET SSM parameters with KMS encryption and decryption. SSM param put works perfectly fine and parameters are added (with decryption as true) with secure string in the EC2 SSM param store. The issue we are facing is when trying to GET SSM param values with decryption as true. The corresponding lambda code that runs this script throws following error when trying to run following boto3 script (on running get_ssm_parameters_by_path):
session = boto3.Session()
ssm_client = session.client('ssm', 'us-east-1')
ssm_parameters = []
response = ssm_client.get_parameters_by_path(
Path=self.ssm_parameter_path,
Recursive=True,
WithDecryption=True
)
ERROR: An error occurred (AccessDeniedException) when calling the GetParametersByPath operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: eaaxx-7ae7-11e8-97xx5e-b9exxxxxxx410): ClientError
I went through different AWS docs on working with KMS encryption and decryption and updated my policy document as below but no luck so far. The role that the lambda uses has following policy access in place:
{
"Sid": "AllowSSMAccess",
"Effect": "Allow",
"Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"],
"Resource": "arn:aws:kms:us-east-1:AWS_ACCOUNT_NUMBER:key/<aws/ssm default key id>",
"Condition": {
"StringEquals": {
"kms:ViaService": "ssm.us-east-1.amazonaws.com",
"kms:CallerAccount": "AWS_ACCOUNT_NUMBER"
}
}
},
{
"Sid": "AllowKeyMetadata",
"Effect": "Allow",
"Action": ["kms:Describe*", "kms:Get*", "kms:List*"],
"Resource": "arn:aws:kms:us-east-1:AWS_ACCOUNT_NUMBER:key/<aws/ssm default key id>"
},
{
"Sid": "KeyAccess",
"Effect": "Allow",
"Action": [
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Get*",
"kms:TagResource"
],
"Resource": "arn:aws:kms:us-east-1:AWS_ACCOUNT_NUMBER:key/<aws/ssm default key id>"
}
Where AWS_ACCOUNT_NUMBER is my AWS account number and kms key id is default "aws/ssm" key to encrypt and decrypt SSM param. The key does exists in the account. The region we are giving is "us-east-1" so thats okay to0. The last part of error says "or you dont have access".
I can see that the parameter is available in EC2 SSM param store and properly decrypted with the KEY ID I am using to decrypt.
What other policy access or addition we need to perform in order to run "get_parameters_by_path" run successfully.
The default is the AWS managed key for your account, aws/ssm . Parameter Store then calls the AWS KMS Encrypt operation with the KMS key and the plaintext parameter value. AWS KMS returns the encrypted parameter value, which Parameter Store stores with the parameter name.
Note: Only the value of the SSM parameter is encrypted. Parameter names, descriptions and other characteristics are not encrypted.
You can locate the Amazon Resource Name (ARN) of the default key in the AWS KMS console on the AWS managed keys page. The default key is the one identified with aws/ssm in the Alias column.
You have to define the below policy to access parameter store key.
{
"Sid": "getParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:<region>:<AWS_ACCOUNT_NUMBER>:parameter/<Parameter_Store_Key_Name>"
},
{
"Sid": "decryptKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:<region>:<AWS_ACCOUNT_NUMBER>:key/<aws/ssm_Key_Id>"
}
ssm:GetParameters will allow us to access Parameter_Store_Key_Name. Refer the https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With