Reputation: 173
AWS: ssm:GetParameters AccessDeniedException
I am trying to get the ssm parameters in in a js handler as following:
module.exports.post = (event, context, callback) => {
var params = {
Name: 'myParameter',
WithDecryption: true || false
};
ssm.getParameter(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
};
and I added the following permission roles to my serverless.yml file
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
- ssm:DescribeParameters
- kms:Encrypt
- kms:Decrypt
Resource: "*"
Using the CLI I can successfully perform aws ssm get-parameter --names myParameter
but when I invoke the function I get the following error in cloudWatch
AccessDeniedException: User: myUser is not authorized to perform: ssm:GetParameter on resource: myResource/myParameter
I have tried to use getParameters functions, get the exact name resource but still the same error message.
Any help would be much appreciated.
Upvotes: 12
Views: 10823
Answers (1)
Reputation: 2216
Just created a project with serverless and it worked as expected.
The permissions are set in serverless.yml with only the grants required for execution of the code.
serverless.yml
service: poc-lambda-ssm
provider:
name: aws
runtime: nodejs8.10
variableSyntax: "\\${((?!AWS)[ ~:a-zA-Z0-9._'\",\\-\\/\\(\\)]+?)}"
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameter
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:ssm'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'parameter/my-secure-param'
- Effect: Allow
Action:
- kms:Decrypt
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:kms'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'key/alias/aws/ssm'
functions:
hello_ssm:
handler: handler.hello_ssm
handler.js
'use strict';
const AWS = require("aws-sdk")
AWS.config = {
region:"us-east-1"
};
const ssm = new AWS.SSM({apiVersion: '2014-11-06'});
module.exports.hello_ssm = function(event, context, callback) {
var params = {
Name: 'my-secure-param',
WithDecryption: true
};
ssm.getParameter(params, function(err, data) {
if (err) callback(err);
else callback(null,"my secure param is: "+data.Parameter.Value);
});
};
and created a parameter called my-secure-param in AWS System Manager with type SecureString.
You also might check my PoC Lambda SSM project. In this project I use serverless to develop lambda and it works invoking locally by using invoke local -f hello_ssm.
Upvotes: 3
Related Questions
- AWS SSM IAM Access Issue
- AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction
- Why is my access denied on s3 (using the aws-sdk for Node.js)?
- Why changeResourceRecordSets gets not authorized to access this resource?
- ERROR AccessDenied: Access Denied at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js
- Accessing SSM variables with Serverless
- Why does JavaScript aws-sdk ssm getParameter require permissions for all parameters instead of just the one I need?
- AWS IAM authorization inside a lambda function in nodejs
- Accessing AWS SSM Parameters in NodeJS
- AWS Serverless Endpoint Issue