I am attempting to access system parameters from a Lambda developed using C#
I have added the required lambda layer as per https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#ps-integration-lambda-extensions-sample-commands
The lambda execution role has the following in the IAM definition (???????? replacing actual account id)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": "arn:aws:ssm:*:???????????:parameter/*"
}
]
}
As per the AWS page reference above I made a HTTP GET request to http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1
This is failing with the following response
{
"Version": "1.1",
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"text/plain"
]
},
{
"Key": "Content-Length",
"Value": [
"31"
]
}
]
},
"StatusCode": 401,
"ReasonPhrase": "Unauthorized",
"Headers": [
{
"Key": "X-Amzn-Errortype",
"Value": [
"AccessDeniedException"
]
},
{
"Key": "Date",
"Value": [
"Thu, 01 Dec 2022 12:16:59 GMT"
]
}
],
"TrailingHeaders": [],
"RequestMessage": {
"Version": "1.1",
"VersionPolicy": 0,
"Content": null,
"Method": {
"Method": "GET"
},
"RequestUri": "http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1",
"Headers": [],
"Properties": {},
"Options": {}
},
"IsSuccessStatusCode": false
}
Any clues where I am going wrong?
Thanks Bryan that seems to have moved me one step closer. I was not using the header so have now added it. It still fails but not it spits out an error to give me some clues
The error I get is :
[AWS Parameters and Secrets Lambda Extension] 2022/12/02 18:10:11 ERROR GetParameter request encountered an error: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: ed0638c4-6118-4bfa-ae43-5c1530fce5fb, api error AccessDeniedException: User: arn:aws:sts::??????????:assumed-role/FCKM-lambda-standard/ClinMod_S3_StepFunctionLaunch is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-2:??????????:* because no identity-based policy allows the ssm:GetParameter action
This is puzzling as the execution role does have that permission - well at least 'FCKM-lambda-standard' does. The role 'FCKM-lambda-standard/ClinMod_S3_StepFunctionLaunch' does not actually exist I assume it inherits from 'FCKM-lambda-standard'
Looking at the code again I had a typo in the parameter name - once fixed it works fine. Thanks for your help