Add SSM:GetParameter to AWS EC2 Instance

Question

First time deploying an app to AWS and it's been an adventure. My current error:

Dec 21 03:49:33 ip-172-31-31-185 web: botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::[my account number]:assumed-role/aws-elasticbeanstalk-ec2-role/[the instance number] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-2:[my account number]:parameter/Dev/WebServer/[thing I want to get] because no identity-based policy allows the ssm:GetParameter action

The docs are very good at telling me what I need to do-- it appears I need to add an IAM policy to the instance using AWS systems manager. I even have the policy-- but less good in telling me how to do it. Where can you add instance policies in AWS Console?

Answer 1

Based on the error message - it comes from Beanstalk, the documentation is https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-instance.html

So likely you already have an instance profile based on an existing role. So that is the role you need to change. The policy is managed in IAM (not Systems Manager), just add ssm:GetParameter rule there either with a star (which may be good enough to debug in the dev environment) and if it works then limit it to your arn, if you for arn:aws:ssm:us-east-2:[my account number]:parameter/Dev/WebServer/[thing I want to get] make [thing I want to get] something like myapp-prefix-[thing I want to get] then you can easily limit the access only to parameters which belongs to this given app. Or you can use tags.