Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ssm parameter grantRead() doesn't grant GetParametersByPath

See original GitHub issue

🐛 Bug Report

What is the problem?

when using ssm Parameters and trying to grant permission for a Lambda to read the Parameter with the grantRead(fn) method it won’t add the ssm:GetParametersByPath permission to the Lambda’s policy.

Reproduction Steps

        const reserveBooking = new lambda.Function(this, "ReserveBooking", {
            runtime: lambda.Runtime.PYTHON_3_7,
            timeout: cdk.Duration.seconds(10),
            code: new lambda.AssetCode('../src/backend/booking/src/reserve-booking'),
            handler: 'reserve.lambda_handler',
            environment: {
                BOOKING_TABLE_NAME: props.bookingTable
            },
            initialPolicy: [DynamoDBCrudPolicy(props.bookingTable)]
        });


        const processParam = new ssm.StringParameter(this, "ProcessBookingParameter", {
            stringValue: bookingMachine.stateMachineArn,
            description: "Step Functions State Machine ARN",
            parameterName: `/service/booking/process-booking-state-machine/${props.stage}`
        })

        processParam.grantRead(reserveBooking);

yields the following permissions:

"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory"

but not ssm:GetParametersByPath

Verbose Log

An error occurred (AccessDeniedException) when calling the GetParametersByPath operation: User: arn:aws:sts::9999:assumed-role/CdkJunkStack-FooQueueRecorderFooFn1ServiceRoleXXX-XXX/CdkJunkStack-FooQueueRecorderFooFn1XXX-XXX is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:9999:parameter/path/to/param

–>

Environment

  • CDK CLI Version: 1.6.1 (build a09203a)
  • Module Version: ssm
  • OS: all
  • Language: all

Other information

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

4reactions
brno32commented, Jun 13, 2021

I still think it would be useful to include ssm:GetParametersByPath in the allowed actions. Maybe an optional flag that must be explicitly set for it to be included would be a good compromise for those of us who want to grant access all willy nilly?

1reaction
bcxcommented, Sep 2, 2019

After thinking about this some, I’m wondering if it’s actually desirable for ssm:GetParametersByPath to be left out of the generated permissions.

I believe the grant model works like this:

  1. I obtain a ssm.StringParameter, either by constructing one or (more commonly?) by calling .fromSecureStringParameterAttributes()
  2. I grant a particular lambda function read and/or write permission for that particular param.
  3. Over in the function, I use get_parameter (for example), to access that particular param.

If someone is using .get_parameters_by_path() in step three, they will get back (or try to access) a whole list of params – everything under the tree. In this case, I think CDK should require that they obtained grants for all the params in said tree, not just for the particular param obtained in steps (1).

Say someone does expand steps (1) and (2) to obtain all the params under a path and call .grantX() on each of them. Should they expect that set of param to be the same at the time the lambda runs? It might not be. (Say someone adds a param under the path in question after the stack is created.)

Maybe for this reason the best thing to do is leave ssm:GetParametersByPath out the permissions created by param.grantX() calls, and discourage the use of .get_parameters_by_path() in lambdas managed by CDK.

@rhboyd created this issue in part b/c of a question I asked in the gitter channel. In my case, I was using .get_parameters_by_path() in a lambda, but I can actually use .get_parameter() – since in my case I’m only trying to get back a single param.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Restricting access to Systems Manager parameters using IAM ...
When using IAM policies to restrict access to Systems Manager parameters, we recommend that you create and use restrictive IAM policies.
Read more >
awslabs/aws-cdk - Gitter
FargateService() it is possible to pass cloud_map_options (Python) to the method ... ohhhh, it looks like grantRead doesn't include ssm:GetParametersByPath.
Read more >
Grant AWS Lambda Access to SSM Parameter Store
In order to grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution...
Read more >
AWS Systems Manager (SSM) Parameters Store and Access ...
The role will be created. We will use this permission in lambda function to access Aws SSM parameters Thanks for reading this article....
Read more >
AWS System Manager GetParameters permission being ...
I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Creating an alias record for an existing hosted zone in Route53, does not find the zone with Python bindings

Next page

asset staging: do not recurse into the output directory