AWS System Manager GetParameters permission being implicitly denied

Asked 10/1, 2021 at 12:6 Answered 27/2, 2023 at 13:17

I am trying to setup eksctl for eks but it throwing "Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".

The IAM Permission Policy I am using is

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "arn:aws:ssm:::parameter/*"
        }
    ]

I also tried using policy simulation for check the permissions , it is giving me "Implicitly Denied (No matching statement)"

Gamine answered 10/1, 2021 at 12:6 Comment(0)

I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a ssm:GetParameter like this:

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action":[
            "ssm:DescribeParameters"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action":[
            "ssm:GetParameters",
            "ssm:GetParameter",
            "ssm:GetParametersByPath"
        ],
        "Resource": "arn:aws:ssm:ca-central-1::parameter/*"
    }
]

If you notice I've added the region ca-central-1 and you should change it to your current region.

Anatolian answered 1/4, 2021 at 16:30 Comment(0)

For me, I was using --with-decryption for a SecureString. My Instance Profile also needed to have KMS rights to the alias/parameter-store-key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter*"
            ],
            "Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}

Sosthena answered 21/4, 2022 at 6:30 Comment(2)

Thanks for this! I had the same problem and the thing that was confusing for me was the error message didn't mention KMS at all. It just said that I didn't have "ssm:GetParameter" permissions. Arrrgghhh... IAM permission will be the death of me. – Glenoid 18/8, 2022 at 12:59

No doubt! We gotta support each other, cuz the AWS docs certainly won't – Sosthena 19/8, 2022 at 19:11

If you have a lambda and do live edit of the policy attached to lambda’s role, it will not work. The policy update is not reflected until you switch to another role and switch back.

Also, for GetParametersByPath you have to provide the path, not path with /*. This is what worked for me:

statement {
    effect = "Allow"
    actions = [
      "ssm:GetParametersByPath",
      "ssm:GetParameters",
      "ssm:GetParameter"
    ]
    resources = [
      "arn:aws:ssm:eu-west-1:0123456789:parameter:my-ssm-namespace"
    ]
  }

Counterpart answered 27/2, 2023 at 13:17 Comment(1)

I found this was the answer for me, and took me too many iterations to get there! – Ingratiating 21/5, 2024 at 1:0

Mine was in the other direction. I had ssm:GetParameter, and the error message was AccessDeniedException: User is not authorized to perform: ssm:GetParameter on resource because no identity-based policy allows the ssm:GetParameter action, but implicitly the missing ssm:GetParameters was causing the request to be denied with a misleading error message.

Caddis answered 13/3, 2022 at 20:58 Comment(1)

I had the same issue. Was trying to use ssm:GetParametersByPath which apparently requires ssm:GetParameters as well. Lost a few hours on that one.... sigh – Crabstick 18/1, 2023 at 19:59

I think you might need to authorize the "ssm:GetParameter" action as well.

Coburn answered 1/3, 2021 at 14:49 Comment(1)

I have to also mention my resource id and it worked. – Gamine 1/3, 2021 at 23:35

I had the same error message as @plantbeard but mine was related to capitalisation I was using Serverless and taking the param name from the stage enviroment eg dev but my parameter was called /Dev/param renaming to /dev/param fixed it for me

Predator answered 20/4, 2022 at 18:2 Comment(1)

This is a comment about another answer: stackoverflow.com/a/71460789 but it doesn't answer the question. – Bannockburn 21/4, 2022 at 5:6

For anyone else who still has issues, I was receiving the same error for my Lambda function:

"AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/[role-name]-role-xxxxxx/[lambda-function-name] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxx:parameter/[parameter_path1]/[parameter_pathx] because no identity-based policy allows the ssm:GetParameter action",

I found that on the policies page https://us-east-1.console.aws.amazon.com/iamv2/home#/policies

I needed to add the rule to a "Customer managed" Type Policy Named AWSLambdaBasicExecutionRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (I think someone else created this though and I just added on to it)

That looked like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:us-east-1:xxxxxxxxxx:parameter/[parameter_path1]/[parameter_pathx]"
        }
    ]
}

Aubert answered 9/9, 2022 at 17:38 Comment(0)

Recommended topics

Hot tags