AWS SAM managed policy for SSM get parameter
Is there any managed policy similar to DynamoDBReadPolicy for the ssm:GetParameter* permission for a Lambda function? I'm using aws-sam-cli and trying to follow this, but when I try to fetch the parameters when using sam local start-api, I get the following error:
InvalidAction: The action or operation requested is invalid. Verify that the action is typed correctly.
Here is the snippet where I try to get the parameter:
const ssm = new AWS.SSM();
const param = {
Name: "param1",
WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();
The relevant template sections are below. Thanks!
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: 'param1Key'
TargetKeyId: !Ref Key
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Id: default
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
Sid: Allow root account all permissions except to decrypt the key
Version: 2012-10-17
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
# I think I need the ssm policy here
amazon-web-services aws-lambda aws-serverless aws-sam-local serverless-application-model
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
add a comment |
Is there any managed policy similar to DynamoDBReadPolicy for the ssm:GetParameter* permission for a Lambda function? I'm using aws-sam-cli and trying to follow this, but when I try to fetch the parameters when using sam local start-api, I get the following error:
InvalidAction: The action or operation requested is invalid. Verify that the action is typed correctly.
Here is the snippet where I try to get the parameter:
const ssm = new AWS.SSM();
const param = {
Name: "param1",
WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();
The relevant template sections are below. Thanks!
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: 'param1Key'
TargetKeyId: !Ref Key
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Id: default
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
Sid: Allow root account all permissions except to decrypt the key
Version: 2012-10-17
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
# I think I need the ssm policy here
amazon-web-services aws-lambda aws-serverless aws-sam-local serverless-application-model
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
add a comment |
Is there any managed policy similar to DynamoDBReadPolicy for the ssm:GetParameter* permission for a Lambda function? I'm using aws-sam-cli and trying to follow this, but when I try to fetch the parameters when using sam local start-api, I get the following error:
InvalidAction: The action or operation requested is invalid. Verify that the action is typed correctly.
Here is the snippet where I try to get the parameter:
const ssm = new AWS.SSM();
const param = {
Name: "param1",
WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();
The relevant template sections are below. Thanks!
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: 'param1Key'
TargetKeyId: !Ref Key
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Id: default
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
Sid: Allow root account all permissions except to decrypt the key
Version: 2012-10-17
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
# I think I need the ssm policy here
amazon-web-services aws-lambda aws-serverless aws-sam-local serverless-application-model
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
Is there any managed policy similar to DynamoDBReadPolicy for the ssm:GetParameter* permission for a Lambda function? I'm using aws-sam-cli and trying to follow this, but when I try to fetch the parameters when using sam local start-api, I get the following error:
InvalidAction: The action or operation requested is invalid. Verify that the action is typed correctly.
Here is the snippet where I try to get the parameter:
const ssm = new AWS.SSM();
const param = {
Name: "param1",
WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();
The relevant template sections are below. Thanks!
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: 'param1Key'
TargetKeyId: !Ref Key
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Id: default
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
Sid: Allow root account all permissions except to decrypt the key
Version: 2012-10-17
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
# I think I need the ssm policy here
amazon-web-services aws-lambda aws-serverless aws-sam-local serverless-application-model
amazon-web-services aws-lambda aws-serverless aws-sam-local serverless-application-model
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
edited Nov 19 '18 at 15:04
holtc
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
asked Nov 18 '18 at 13:56
holtcholtc
1,069622
1,069622
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The available SAM policy templates are listed in their Github repository. None of these policy templates grants permissions for any SSM operation, so you can't use a SAM policy template to grant your AWS Lambda function access to SSM parameters as of now.
What you can do as a workaround is to manually add the required policy statement inline to your policies. That would look like:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- ssm:GetParameter
Effect: Allow
Resource: arn:aws:ssm:region:account-id:parameter/parameter_name
You should also consider opening a pull request for adding a policy template for SSM parameter access to SAM, as such a template would of course be a more convenient way to express such permissions. From my experience the developers are very friendly and always welcome such additions.
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get theInvalid Actionerror. Perhaps SSM does not exist when running locally?
– holtc
Nov 19 '18 at 15:04
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53361664%2faws-sam-managed-policy-for-ssm-get-parameter%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The available SAM policy templates are listed in their Github repository. None of these policy templates grants permissions for any SSM operation, so you can't use a SAM policy template to grant your AWS Lambda function access to SSM parameters as of now.
What you can do as a workaround is to manually add the required policy statement inline to your policies. That would look like:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- ssm:GetParameter
Effect: Allow
Resource: arn:aws:ssm:region:account-id:parameter/parameter_name
You should also consider opening a pull request for adding a policy template for SSM parameter access to SAM, as such a template would of course be a more convenient way to express such permissions. From my experience the developers are very friendly and always welcome such additions.
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get theInvalid Actionerror. Perhaps SSM does not exist when running locally?
– holtc
Nov 19 '18 at 15:04
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
add a comment |
The available SAM policy templates are listed in their Github repository. None of these policy templates grants permissions for any SSM operation, so you can't use a SAM policy template to grant your AWS Lambda function access to SSM parameters as of now.
What you can do as a workaround is to manually add the required policy statement inline to your policies. That would look like:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- ssm:GetParameter
Effect: Allow
Resource: arn:aws:ssm:region:account-id:parameter/parameter_name
You should also consider opening a pull request for adding a policy template for SSM parameter access to SAM, as such a template would of course be a more convenient way to express such permissions. From my experience the developers are very friendly and always welcome such additions.
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get theInvalid Actionerror. Perhaps SSM does not exist when running locally?
– holtc
Nov 19 '18 at 15:04
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
add a comment |
The available SAM policy templates are listed in their Github repository. None of these policy templates grants permissions for any SSM operation, so you can't use a SAM policy template to grant your AWS Lambda function access to SSM parameters as of now.
What you can do as a workaround is to manually add the required policy statement inline to your policies. That would look like:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- ssm:GetParameter
Effect: Allow
Resource: arn:aws:ssm:region:account-id:parameter/parameter_name
You should also consider opening a pull request for adding a policy template for SSM parameter access to SAM, as such a template would of course be a more convenient way to express such permissions. From my experience the developers are very friendly and always welcome such additions.
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
The available SAM policy templates are listed in their Github repository. None of these policy templates grants permissions for any SSM operation, so you can't use a SAM policy template to grant your AWS Lambda function access to SSM parameters as of now.
What you can do as a workaround is to manually add the required policy statement inline to your policies. That would look like:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- ssm:GetParameter
Effect: Allow
Resource: arn:aws:ssm:region:account-id:parameter/parameter_name
You should also consider opening a pull request for adding a policy template for SSM parameter access to SAM, as such a template would of course be a more convenient way to express such permissions. From my experience the developers are very friendly and always welcome such additions.
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
answered Nov 18 '18 at 14:41
DunedanDunedan
2,04951422
2,04951422
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get theInvalid Actionerror. Perhaps SSM does not exist when running locally?
– holtc
Nov 19 '18 at 15:04
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
add a comment |
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get theInvalid Actionerror. Perhaps SSM does not exist when running locally?
– holtc
Nov 19 '18 at 15:04
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get the
Invalid Action error. Perhaps SSM does not exist when running locally?– holtc
Nov 19 '18 at 15:04
Thanks! That helps get the parameter when I have deployed, but when testing locally, I still get the
Invalid Action error. Perhaps SSM does not exist when running locally?– holtc
Nov 19 '18 at 15:04
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
That's right. When using AWS SAM CLI to run applications locally, there is no SSM Parameter Store available locally as well. Coincidentally I opened an issue regarding that a while ago: github.com/awslabs/aws-sam-cli/issues/616
– Dunedan
Nov 19 '18 at 15:55
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53361664%2faws-sam-managed-policy-for-ssm-get-parameter%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
