I am trying to get the ssm parameters in in a js handler as following:
module.exports.post = (event, context, callback) => {
var params = {
Name: 'myParameter',
WithDecryption: true || false
};
ssm.getParameter(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
};
and I added the following permission roles to my serverless.yml file
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
- ssm:DescribeParameters
- kms:Encrypt
- kms:Decrypt
Resource: "*"
Using the CLI I can successfully perform aws ssm get-parameter --names myParameter
but when I invoke the function I get the following error in cloudWatch
AccessDeniedException: User: myUser is not authorized to perform: ssm:GetParameter on resource: myResource/myParameter
I have tried to use getParameters functions, get the exact name resource but still the same error message.
Any help would be much appreciated.
I am trying to get the ssm parameters in in a js handler as following:
module.exports.post = (event, context, callback) => {
var params = {
Name: 'myParameter',
WithDecryption: true || false
};
ssm.getParameter(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
};
and I added the following permission roles to my serverless.yml file
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
- ssm:DescribeParameters
- kms:Encrypt
- kms:Decrypt
Resource: "*"
Using the CLI I can successfully perform aws ssm get-parameter --names myParameter
but when I invoke the function I get the following error in cloudWatch
AccessDeniedException: User: myUser is not authorized to perform: ssm:GetParameter on resource: myResource/myParameter
I have tried to use getParameters functions, get the exact name resource but still the same error message.
Any help would be much appreciated.
Share Improve this question asked Nov 21, 2017 at 14:21 MarcMarc 1731 gold badge3 silver badges8 bronze badges 5- Is the Parameter you're trying to get in Parameter Store a SecureString encrypted with a KMS Customer Managed key? If so it could be that the Lambda role doesn't have access to the CMK due to the key policy – maafk Commented Nov 21, 2017 at 14:33
- nope, I think there is a problem that I am using a root account, but I am not sure how to work around this – Marc Commented Nov 23, 2017 at 15:26
- 1 It's definitely not a good idea to use the root account for general AWS usage. Check out the IAM best practices – maafk Commented Nov 25, 2017 at 2:26
- who is myUser? I may be able to help here (for posterity) – user7401700 Commented Apr 16, 2018 at 15:28
- I ran into this issue from Javascript. – Paul Fryer Commented Sep 29, 2018 at 21:33
1 Answer
Reset to default 3Just created a project with serverless and it worked as expected.
The permissions are set in serverless.yml with only the grants required for execution of the code.
serverless.yml
service: poc-lambda-ssm
provider:
name: aws
runtime: nodejs8.10
variableSyntax: "\\${((?!AWS)[ ~:a-zA-Z0-9._'\",\\-\\/\\(\\)]+?)}"
iamRoleStatements:
- Effect: Allow
Action:
- ssm:GetParameter
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:ssm'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'parameter/my-secure-param'
- Effect: Allow
Action:
- kms:Decrypt
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:kms'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'key/alias/aws/ssm'
functions:
hello_ssm:
handler: handler.hello_ssm
handler.js
'use strict';
const AWS = require("aws-sdk")
AWS.config = {
region:"us-east-1"
};
const ssm = new AWS.SSM({apiVersion: '2014-11-06'});
module.exports.hello_ssm = function(event, context, callback) {
var params = {
Name: 'my-secure-param',
WithDecryption: true
};
ssm.getParameter(params, function(err, data) {
if (err) callback(err);
else callback(null,"my secure param is: "+data.Parameter.Value);
});
};
and created a parameter called my-secure-param in AWS System Manager with type SecureString.
You also might check my PoC Lambda SSM project. In this project I use serverless to develop lambda and it works invoking locally by using invoke local -f hello_ssm.