AWS System Manager GetParameters permission being implicitly denied

Question

I am trying to setup eksctl for eks but it throwing "Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".

The IAM Permission Policy I am using is

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "arn:aws:ssm:::parameter/*"
        }
    ]

I also tried using policy simulation for check the permissions , it is giving me "Implicitly Denied (No matching statement)"

score 12 · Answer 1 · answered Apr 01 '21 at 16:30

I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a ssm:GetParameter like this:

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action":[
            "ssm:DescribeParameters"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action":[
            "ssm:GetParameters",
            "ssm:GetParameter",
            "ssm:GetParametersByPath"
        ],
        "Resource": "arn:aws:ssm:ca-central-1::parameter/*"
    }
]

If you notice I've added the region ca-central-1 and you should change it to your current region.

score 8 · Answer 2 · answered Apr 21 '22 at 06:30

8

For me, I was using --with-decryption for a SecureString. My Instance Profile also needed to have KMS rights to the alias/parameter-store-key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter*"
            ],
            "Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}

answered Apr 21 '22 at 06:30

Duke

7,070
3
38
28

2

Thanks for this! I had the same problem and the thing that was confusing for me was the error message didn't mention KMS at all. It just said that I didn't have "ssm:GetParameter" permissions. Arrrgghhh... IAM permission will be the death of me. – Richard Hurt Aug 18 '22 at 12:59
1

No doubt! We gotta support each other, cuz the AWS docs certainly won't – Duke Aug 19 '22 at 19:11

score 1 · Answer 3 · answered Mar 13 '22 at 20:58

1

Mine was in the other direction. I had ssm:GetParameter, and the error message was AccessDeniedException: User is not authorized to perform: ssm:GetParameter on resource because no identity-based policy allows the ssm:GetParameter action, but implicitly the missing ssm:GetParameters was causing the request to be denied with a misleading error message.

answered Mar 13 '22 at 20:58

plantbeard

358
7
16

I had the same issue. Was trying to use `ssm:GetParametersByPath` which apparently requires `ssm:GetParameters` as well. Lost a few hours on that one.... sigh – theVinchi Jan 18 '23 at 19:59

score 0 · Answer 4 · answered Mar 01 '21 at 14:49

0

I think you might need to authorize the "ssm:GetParameter" action as well.

answered Mar 01 '21 at 14:49

Paschen

36
2

I have to also mention my resource id and it worked. – Abhinav Kumar Mar 01 '21 at 23:35

score 0 · Answer 5 · answered Apr 20 '22 at 18:02

0

I had the same error message as @plantbeard but mine was related to capitalisation I was using Serverless and taking the param name from the stage enviroment eg dev but my parameter was called /Dev/param renaming to /dev/param fixed it for me

answered Apr 20 '22 at 18:02

user6436252

1
1

This is a comment about another answer: https://stackoverflow.com/a/71460789/ but it doesn't answer the question. – karel Apr 21 '22 at 05:06

score 0 · Answer 6 · answered Sep 09 '22 at 17:38

For anyone else who still has issues, I was receiving the same error for my Lambda function:

"AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/[role-name]-role-xxxxxx/[lambda-function-name] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxx:parameter/[parameter_path1]/[parameter_pathx] because no identity-based policy allows the ssm:GetParameter action",

I found that on the policies page https://us-east-1.console.aws.amazon.com/iamv2/home#/policies

I needed to add the rule to a "Customer managed" Type Policy Named AWSLambdaBasicExecutionRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (I think someone else created this though and I just added on to it)

That looked like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:us-east-1:xxxxxxxxxx:parameter/[parameter_path1]/[parameter_pathx]"
        }
    ]
}

mkkot · Answer 7 · 2023-02-27T14:23:10.347

If you have a lambda and do live edit of the policy attached to lambda’s role, it will not work. The policy update is not reflected until you switch to another role and switch back.

Also, for GetParametersByPath you have to provide the path, not path with /*. This is what worked for me:

statement {
    effect = "Allow"
    actions = [
      "ssm:GetParametersByPath",
      "ssm:GetParameters",
      "ssm:GetParameter"
    ]
    resources = [
      "arn:aws:ssm:eu-west-1:0123456789:parameter:my-ssm-namespace"
    ]
  }

AWS System Manager GetParameters permission being implicitly denied

7 Answers7