ssm parameter grantRead() doesn't grant GetParametersByPath
See original GitHub issue🐛 Bug Report
What is the problem?
when using ssm Parameters and trying to grant permission for a Lambda to read the Parameter with the grantRead(fn)
method it won’t add the ssm:GetParametersByPath
permission to the Lambda’s policy.
Reproduction Steps
const reserveBooking = new lambda.Function(this, "ReserveBooking", {
runtime: lambda.Runtime.PYTHON_3_7,
timeout: cdk.Duration.seconds(10),
code: new lambda.AssetCode('../src/backend/booking/src/reserve-booking'),
handler: 'reserve.lambda_handler',
environment: {
BOOKING_TABLE_NAME: props.bookingTable
},
initialPolicy: [DynamoDBCrudPolicy(props.bookingTable)]
});
const processParam = new ssm.StringParameter(this, "ProcessBookingParameter", {
stringValue: bookingMachine.stateMachineArn,
description: "Step Functions State Machine ARN",
parameterName: `/service/booking/process-booking-state-machine/${props.stage}`
})
processParam.grantRead(reserveBooking);
yields the following permissions:
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory"
but not ssm:GetParametersByPath
Verbose Log
An error occurred (AccessDeniedException) when calling the GetParametersByPath operation: User: arn:aws:sts::9999:assumed-role/CdkJunkStack-FooQueueRecorderFooFn1ServiceRoleXXX-XXX/CdkJunkStack-FooQueueRecorderFooFn1XXX-XXX is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:9999:parameter/path/to/param
–>
Environment
- CDK CLI Version: 1.6.1 (build a09203a)
- Module Version: ssm
- OS: all
- Language: all
Other information
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Restricting access to Systems Manager parameters using IAM ...
When using IAM policies to restrict access to Systems Manager parameters, we recommend that you create and use restrictive IAM policies.
Read more >awslabs/aws-cdk - Gitter
FargateService() it is possible to pass cloud_map_options (Python) to the method ... ohhhh, it looks like grantRead doesn't include ssm:GetParametersByPath.
Read more >Grant AWS Lambda Access to SSM Parameter Store
In order to grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution...
Read more >AWS Systems Manager (SSM) Parameters Store and Access ...
The role will be created. We will use this permission in lambda function to access Aws SSM parameters Thanks for reading this article....
Read more >AWS System Manager GetParameters permission being ...
I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I still think it would be useful to include
ssm:GetParametersByPath
in the allowed actions. Maybe an optional flag that must be explicitly set for it to be included would be a good compromise for those of us who want to grant access all willy nilly?After thinking about this some, I’m wondering if it’s actually desirable for
ssm:GetParametersByPath
to be left out of the generated permissions.I believe the grant model works like this:
ssm.StringParameter
, either by constructing one or (more commonly?) by calling.fromSecureStringParameterAttributes()
get_parameter
(for example), to access that particular param.If someone is using
.get_parameters_by_path()
in step three, they will get back (or try to access) a whole list of params – everything under the tree. In this case, I think CDK should require that they obtained grants for all the params in said tree, not just for the particular param obtained in steps (1).Say someone does expand steps (1) and (2) to obtain all the params under a path and call
.grantX()
on each of them. Should they expect that set of param to be the same at the time the lambda runs? It might not be. (Say someone adds a param under the path in question after the stack is created.)Maybe for this reason the best thing to do is leave
ssm:GetParametersByPath
out the permissions created byparam.grantX()
calls, and discourage the use of.get_parameters_by_path()
in lambdas managed by CDK.@rhboyd created this issue in part b/c of a question I asked in the gitter channel. In my case, I was using
.get_parameters_by_path()
in a lambda, but I can actually use.get_parameter()
– since in my case I’m only trying to get back a single param.