CognitoIdentityCredentials is not authorized to perform ssm:GetParameter on resource: using @aws-sdk v3

Question

I am trying to get parameters in AWS Parameter Store using @aws-sdk v3 with cognito unauthenticated identity pool like this:

import { SSMClient, GetParameterCommand } from "@aws-sdk/client-ssm";
import { fromCognitoIdentityPool } from "@aws-sdk/credential-providers";

const REGION = 'us-east-1'

const ssm = new SSMClient({
  region: REGION,
  credentials: fromCognitoIdentityPool({
    clientConfig: { region: REGION },
    identityPoolId: 'us-east-1:xxxx...'
  })
});

const input = {
  Name: '/config'
}

const response = await ssm.send(new GetParameterCommand(param));

But I am receiving this message:

AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/Cognito_CredentialsUnauth_Role/CognitoIdentityCredentials is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxxxxxxxx:parameter/config because no session policy allows the ssm:GetParameter action

My cognito role is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "mobileanalytics:PutEvents",
            "cognito-sync:*",
            "ssm:GetParameters",
            "ssm:GetParameter"
        ],
        "Resource": "*"
    }
  ]
}

I talk to aws support and they sad that my role is right, and the problem is in my session policy. But I don't understand what I need to do

It looks like your user isn't authenticated. So CredentialsUnauth_Role is assumed. Do you let Unauth user to access ssm:GetParameter? I mean is it intentionally? https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html is it of any help? — Anton, Sep 28 '22 at 10:54

CognitoIdentityCredentials is not authorized to perform ssm:GetParameter on resource: using @aws-sdk v3

0 Answers0