AccessDeniedException when retrieving AWS Parameters from Lambda

0

I am attempting to access system parameters from a Lambda developed using C#

I have added the required lambda layer as per https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#ps-integration-lambda-extensions-sample-commands

The lambda execution role has the following in the IAM definition (???????? replacing actual account id)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": "arn:aws:ssm:*:???????????:parameter/*"
        }
    ]
}

As per the AWS page reference above I made a HTTP GET request to http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1

This is failing with the following response

{
    "Version": "1.1",
    "Content": {
        "Headers": [
            {
                "Key": "Content-Type",
                "Value": [
                    "text/plain"
                ]
            },
            {
                "Key": "Content-Length",
                "Value": [
                    "31"
                ]
            }
        ]
    },
    "StatusCode": 401,
    "ReasonPhrase": "Unauthorized",
    "Headers": [
        {
            "Key": "X-Amzn-Errortype",
            "Value": [
                "AccessDeniedException"
            ]
        },
        {
            "Key": "Date",
            "Value": [
                "Thu, 01 Dec 2022 12:16:59 GMT"
            ]
        }
    ],
    "TrailingHeaders": [],
    "RequestMessage": {
        "Version": "1.1",
        "VersionPolicy": 0,
        "Content": null,
        "Method": {
            "Method": "GET"
        },
        "RequestUri": "http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1",
        "Headers": [],
        "Properties": {},
        "Options": {}
    },
    "IsSuccessStatusCode": false
}

Any clues where I am going wrong?

2 Answers
0
Accepted Answer

Hi Richard,

Are you adding the X-Aws-Parameters-Secrets-Token header with the AWS_SESSION_TOKEN to you request?

answered 2 months ago
  • Thanks Bryan that seems to have moved me one step closer. I was not using the header so have now added it. It still fails but not it spits out an error to give me some clues

    The error I get is :

    [AWS Parameters and Secrets Lambda Extension] 2022/12/02 18:10:11 ERROR GetParameter request encountered an error: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: ed0638c4-6118-4bfa-ae43-5c1530fce5fb, api error AccessDeniedException: User: arn:aws:sts::??????????:assumed-role/FCKM-lambda-standard/ClinMod_S3_StepFunctionLaunch is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-2:??????????:* because no identity-based policy allows the ssm:GetParameter action

    This is puzzling as the execution role does have that permission - well at least 'FCKM-lambda-standard' does. The role 'FCKM-lambda-standard/ClinMod_S3_StepFunctionLaunch' does not actually exist I assume it inherits from 'FCKM-lambda-standard'

  • Looking at the code again I had a typo in the parameter name - once fixed it works fine. Thanks for your help

0

Not sure if it's the final solution but from what I'm reading I see SSM parameter path, as any other value in query string, should be URL encoded, so changing / to %2F you'll get:

http://localhost:2773/systemsmanager/parameters/get/?name=%2FClinMod%2FSyncfusionKey&version=1

PLS: give it a try!

answered 2 months ago
  • The URL was already getting encoded - thanks for responding though.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions