I get an error in my Lambda function that calls SSM:
AccessDeniedException: User: arn: aws: sts :: redacted: assumed-role / LambdaBackend_master_lambda / SpikeLambda cannot execute: ssm: GetParameter on the resource: arn: aws: ssm: eu-west-1: redacted: parameter / default / key / api
However, I am sure I configured this correctly:
Role, with AssumeRole for Lambda (although we know what works from the error message).
Ξ» aws iam get-role --role-name LambdaBackend_master_lambda { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ] }, "RoleId": "redacted", "CreateDate": "2017-06-23T20:49:37Z", "RoleName": "LambdaBackend_master_lambda", "Path": "/", "Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda" } }
And my policy:
Ξ» aws iam list-role-policies --role-name LambdaBackend_master_lambda { "PolicyNames": [ "ssm_read" ] } Ξ» aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read { "RoleName": "LambdaBackend_master_lambda", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:DescribeParameters" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*", "Effect": "Allow" } ] }, "PolicyName": "ssm_read" }
I ran it through a policy simulator and everything seems to be in order!
source share