What Permission Policy is Required to Solve AccessDeniedException for ssm:GetParameter?
I am attempting to set up a dedicated user account for use by Terraform for provisioning cloud infrastructure in AWS. I have the following permission policy set up for the user that Terraform uses with the AWS CLI:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-2::parameter/*"
},
{
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "arn:aws:ssm:us-east-2::parameter/*"
}
]
}
Below is the snippet of Terraform code that attempts to create an EC2 instance:
# specify the AMI for the web server
data "aws_ssm_parameter" "ubantu_linux" {
name = "ami-0b8b44ec9a8f90422"
}
#####################################################################
# INSTANCES
#####################################################################
resource "aws_instance" "nginx" {
count = var.aws_instance_count
ami = nonsensitive(data.aws_ssm_parameter.ubantu_linux.name)
instance_type = var.aws_instance_type
subnet_id = aws_subnet.public_subnets[(count.index % var.vpc_public_subnet_count)].id
vpc_security_group_ids = [aws_security_group.nginx_sg.id]
iam_instance_profile = aws_iam_instance_profile.nginx_profile.name
depends_on = [aws_iam_role_policy.allow_s3_all]
}
When attempting to test setting up an EC2 instance in us-east-2 region from Terraform using the "terraform plan" command, I get AccessDeniedException attempting to access the information associated with the AMI. Below is an example of a typical error message:
Error: describing SSM parameter (ami-0b8b44ec9a8f90422): AccessDeniedException: User: arn:aws:iam::891377101976:user/terraform_robot is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-2:891377101976:parameter/ami-0b8b44ec9a8f90422 because no identity-based policy allows the ssm:GetParameter action
│ status code: 400, request id: b5e7b026-7b7c-4a57-b2d9-49885dfdbd75
│
│ with data.aws_ssm_parameter.amzn2_linux,
│ on instances.tf line 5, in data "aws_ssm_parameter" "amzn2_linux":
│ 5: data "aws_ssm_parameter" "amzn2_linux" {
What needs to be adjusted with the permissions policy to so that the user account Terraform is using has the necessary permissions?
- Newest
- Most votes
- Most comments
Hello.
The ARN of "Resource" may be incorrect.
If you look at the document below, the ARN includes "${Account}".
Also, "ssm:DescribeParameters" cannot restrict resource sections.
https://docs.aws.amazon.com/ja_jp/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-parameter
arn:${Partition}:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}
So why not include your AWS account ID as shown below?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-2:AWS-Account-ID:parameter/*"
},
{
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "*"
}
]
}
Relevant content
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 years ago
That seems to have worked, although I now have another issue. Thank you for your assistance with this!