Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
SSM Module: String Parameter assumes parameter will have a '/' at the front of the string.
See original GitHub issueDescribe the bug
When creating a string parameter in SSM parameter store, CDK makes the assumption that a ‘/’ will be placed in front of the parameter. This is not a requirement of SSM parameter store; hence, when creating a parameter without a ‘/’ in the front of the string and granting access from another resource to this parameter, cdk will provide an ARN that is invalid. This isn’t immediately noticable as the IAM policy will still get created, but one would have to dig to figure out why the requested access is not working as expected.
See here:
https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-ssm/lib/parameter.ts#L125
To Reproduce
cdk deploy
app.py:
#!/usr/bin/env python3
from aws_cdk import (
aws_lambda,
aws_ssm,
cdk
)
class LambdaTestSSMParam(cdk.Stack):
def __init__(self, app: cdk.App, id: str) -> None:
super().__init__(app, id)
string_param = aws_ssm.StringParameter(
self, "StringParameterWithoutSlash",
name="NO_SLASH_STRING_PARAM",
string_value="test"
)
# If you want to see the function actually fail due to lack of permissions
lambda_code = """
#!/usr/bin/env python3
def lambda_handler(event, context):
import boto3
client = boto3.client('ssm')
return client.get_parameter(
Name='{}',
WithDecryption=False
)
""".format(string_param.parameter_name)
lambda_function = aws_lambda.Function(
self, "BasicLambda",
code=aws_lambda.InlineCode(lambda_code),
handler="index.lambda_handler",
timeout=30,
runtime=aws_lambda.Runtime.PYTHON37,
)
string_param.grant_read(lambda_function)
app = cdk.App()
LambdaTestSSMParam(app, "LambdaCronExample")
app.run()
IAM policy that is created:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory"
],
"Resource": "arn:aws:ssm:us-west-2:580961807929:parameterNO_SLASH_STRING_PARAM",
"Effect": "Allow"
}
]
}
Expected behavior
IAM Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory"
],
"Resource": "arn:aws:ssm:us-west-2:580961807929:parameter/NO_SLASH_STRING_PARAM",
"Effect": "Allow"
}
]
}
Version:
- Mac OSX 10.13.6
- Python 3.7.3
- CDK Version:
0.33.0 (build 50d71bf)
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I just made a parameter without “/”: I also supposed it was required but actually is not. If it’s ok for everyone, maybe I can jump on this - maybe as suggested by @rileylyman
I am happy to contribute the fix to this, if no-one else is doing one right now. First I need to understand, why is the parameter name assumed to (or supposed to) have a leading slash?