Menu
I am trying to get the ssm parameters in in a js handler as following:
module.exports.post = (event, context, callback) => {
var params = {
Name: 'myParameter',
WithDecryption: true || false
};
ssm.getParameter(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
};
and I added the following permission roles to my serverless.yml file
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
- ssm:DescribeParameters
- kms:Encrypt
- kms:Decrypt
Resource: "*"
Using the CLI I can successfully perform aws ssm get-parameter --names myParameter
but when I invoke the function I get the following error in cloudWatch
AccessDeniedException: User: myUser is not authorized to perform: ssm:GetParameter on resource: myResource/myParameter
I have tried to use getParameters functions, get the exact name resource but still the same error message.
Any help would be much appreciated.
457
You can locate the Amazon Resource Name (ARN) of the default key in the AWS KMS console on the AWS managed keys page. The default key is the one identified with aws/ssm in the Alias column.
Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
Just created a project with serverless and it worked as expected.
The permissions are set in serverless.yml with only the grants required for execution of the code.
serverless.yml
service: poc-lambda-ssm
provider:
name: aws
runtime: nodejs8.10
variableSyntax: "\\${((?!AWS)[ ~:a-zA-Z0-9._'\",\\-\\/\\(\\)]+?)}"
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameter
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:ssm'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'parameter/my-secure-param'
- Effect: Allow
Action:
- kms:Decrypt
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:kms'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'key/alias/aws/ssm'
functions:
hello_ssm:
handler: handler.hello_ssm
handler.js
'use strict';
const AWS = require("aws-sdk")
AWS.config = {
region:"us-east-1"
};
const ssm = new AWS.SSM({apiVersion: '2014-11-06'});
module.exports.hello_ssm = function(event, context, callback) {
var params = {
Name: 'my-secure-param',
WithDecryption: true
};
ssm.getParameter(params, function(err, data) {
if (err) callback(err);
else callback(null,"my secure param is: "+data.Parameter.Value);
});
};
and created a parameter called my-secure-param in AWS System Manager with type SecureString.
You also might check my PoC Lambda SSM project. In this project I use serverless to develop lambda and it works invoking locally by using invoke local -f hello_ssm.
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
