AccessDeniedException when retrieving AWS Parameters from Lambda

0

I am attempting to access system parameters from a Lambda developed using C#

I have added the required lambda layer as per https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#ps-integration-lambda-extensions-sample-commands

The lambda execution role has the following in the IAM definition (???????? replacing actual account id)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": "arn:aws:ssm:*:???????????:parameter/*"
        }
    ]
}

As per the AWS page reference above I made a HTTP GET request to http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1

This is failing with the following response

{
    "Version": "1.1",
    "Content": {
        "Headers": [
            {
                "Key": "Content-Type",
                "Value": [
                    "text/plain"
                ]
            },
            {
                "Key": "Content-Length",
                "Value": [
                    "31"
                ]
            }
        ]
    },
    "StatusCode": 401,
    "ReasonPhrase": "Unauthorized",
    "Headers": [
        {
            "Key": "X-Amzn-Errortype",
            "Value": [
                "AccessDeniedException"
            ]
        },
        {
            "Key": "Date",
            "Value": [
                "Thu, 01 Dec 2022 12:16:59 GMT"
            ]
        }
    ],
    "TrailingHeaders": [],
    "RequestMessage": {
        "Version": "1.1",
        "VersionPolicy": 0,
        "Content": null,
        "Method": {
            "Method": "GET"
        },
        "RequestUri": "http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1",
        "Headers": [],
        "Properties": {},
        "Options": {}
    },
    "IsSuccessStatusCode": false
}

Any clues where I am going wrong?

2 Antworten
0
Akzeptierte Antwort

Hi Richard,

Are you adding the X-Aws-Parameters-Secrets-Token header with the AWS_SESSION_TOKEN to you request?

beantwortet vor einem Jahr
  • Thanks Bryan that seems to have moved me one step closer. I was not using the header so have now added it. It still fails but not it spits out an error to give me some clues

    The error I get is :

    [AWS Parameters and Secrets Lambda Extension] 2022/12/02 18:10:11 ERROR GetParameter request encountered an error: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: ed0638c4-6118-4bfa-ae43-5c1530fce5fb, api error AccessDeniedException: User: arn:aws:sts::??????????:assumed-role/FCKM-lambda-standard/ClinMod_S3_StepFunctionLaunch is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-2:??????????:* because no identity-based policy allows the ssm:GetParameter action

    This is puzzling as the execution role does have that permission - well at least 'FCKM-lambda-standard' does. The role 'FCKM-lambda-standard/ClinMod_S3_StepFunctionLaunch' does not actually exist I assume it inherits from 'FCKM-lambda-standard'

  • Looking at the code again I had a typo in the parameter name - once fixed it works fine. Thanks for your help

0

Not sure if it's the final solution but from what I'm reading I see SSM parameter path, as any other value in query string, should be URL encoded, so changing / to %2F you'll get:

http://localhost:2773/systemsmanager/parameters/get/?name=%2FClinMod%2FSyncfusionKey&version=1

PLS: give it a try!

beantwortet vor einem Jahr
  • The URL was already getting encoded - thanks for responding though.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen