Reputation: 398
Why does JavaScript aws-sdk ssm getParameter require permissions for all parameters instead of just the one I need?
I'm using javascript in my aws lambda, it calls SSM getParameter and the execution role for the lambda has the proper permissions for the key I'm looking to get the value of.
Originally, I was getting this specific error:
ERROR AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/my-role/my-lambda is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:123456789:parameter/my/parameter
The specific error made sense, so I corrected my policy, as I had accidentally put GetParameters instead of GetParameter. But now, I am getting this questionable error (note the * at the end):
ERROR AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/my-role/my-lambda is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:123456789:*
This error does not make any sense to me. Why do I need to access every single parameter? I need only the one I'm asking for.
Here is the relevant code:
const data = await ssm.getParameter({Name: 'my/parameter', WithDecryption: true}).promise();
And the permission policy (created in a CloudFormation template)
MyLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: my-role
Description: my-role description
Policies:
- PolicyName: cloudwatch-access
...
- PolicyName: parameter-store-access
PolicyDocument:
Statement:
- Effect: Allow
Action:
- "ssm:GetParameter"
Resource:
- !Sub "arn:aws:ssm:*:${AWS::AccountId}:parameter/my/parameter"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Edit:
After changing the permission policy to match the error message, I am now experiencing this strange error:
ERROR ValidationException: Parameter name: can't be prefixed with "ssm" (case-insensitive). If formed as a path, it can consist of sub-paths divided by slash symbol; each sub-path can be formed as a mix of letters, numbers and the following 3 symbols .-_
Upvotes: 2
Views: 1956
Answers (1)
Reputation: 398
Looks like the solution was to prefix the parameter name with a '/'.
In my example, I used {Name: 'my/parameter'}
After using {Name: '/my/parameter'}, things seem to be working fine.
Talk about a senseless error message...
Upvotes: 7
Related Questions
- How to access SSM Parameter Store from SAM lambda local in node
- Serverless Framework - What permissions do I need to use AWS SSM Parameter Store?
- Retrieve only one parameter value from aws ssm get-parameter command?
- Accessing AWS SSM Parameters in NodeJS Lambas
- AWS SSM parameter store not fetching all key/values
- AWS: ssm:GetParameters AccessDeniedException
- Accessing AWS SSM Parameters in NodeJS
- How to access SSM Parameter Store Values through AWS Lambda Function Environment Variables using Serverless Framework?
- AWS parameter store access in lambda function
- Access SSM parameters from parameter store