I am trying to get the ssm parameters in in a js handler as following:

module.exports.post = (event, context, callback) => {

  var params = {
  Name: 'myParameter',  
  WithDecryption: true || false
};

ssm.getParameter(params, function(err, data) {
  if (err)   console.log(err, err.stack);   
  else       console.log(data);        
});


};

and I added the following permission roles to my serverless.yml file

iamRoleStatements:
  - Effect: Allow
    Action:
      - ssm:GetParameters
      - ssm:GetParameter
      - ssm:DescribeParameters
      - kms:Encrypt
      - kms:Decrypt
    Resource: "*"

Using the CLI I can successfully perform aws ssm get-parameter --names myParameter

but when I invoke the function I get the following error in cloudWatch

AccessDeniedException: User: myUser is not authorized to perform: ssm:GetParameter on resource: myResource/myParameter

I have tried to use getParameters functions, get the exact name resource but still the same error message.

Any help would be much appreciated.

I am trying to get the ssm parameters in in a js handler as following:

module.exports.post = (event, context, callback) => {

  var params = {
  Name: 'myParameter',  
  WithDecryption: true || false
};

ssm.getParameter(params, function(err, data) {
  if (err)   console.log(err, err.stack);   
  else       console.log(data);        
});


};

and I added the following permission roles to my serverless.yml file

iamRoleStatements:
  - Effect: Allow
    Action:
      - ssm:GetParameters
      - ssm:GetParameter
      - ssm:DescribeParameters
      - kms:Encrypt
      - kms:Decrypt
    Resource: "*"

Using the CLI I can successfully perform aws ssm get-parameter --names myParameter

but when I invoke the function I get the following error in cloudWatch

AccessDeniedException: User: myUser is not authorized to perform: ssm:GetParameter on resource: myResource/myParameter

I have tried to use getParameters functions, get the exact name resource but still the same error message.

Any help would be much appreciated.

• javascript
• node.js
• amazon-web-services
• amazon-iam
• serverless

Share Improve this question Follow asked Nov 21, 2017 at 14:21 MarcMarc 17311 gold badge33 silver badges88 bronze badges 5

• Is the Parameter you're trying to get in Parameter Store a SecureString encrypted with a KMS Customer Managed key? If so it could be that the Lambda role doesn't have access to the CMK due to the key policy – maafk Commented Nov 21, 2017 at 14:33
• nope, I think there is a problem that I am using a root account, but I am not sure how to work around this – Marc Commented Nov 23, 2017 at 15:26
• 1 It's definitely not a good idea to use the root account for general AWS usage. Check out the IAM best practices – maafk Commented Nov 25, 2017 at 2:26
• who is myUser? I may be able to help here (for posterity) – user7401700 Commented Apr 16, 2018 at 15:28
• I ran into this issue from Javascript. – Paul Fryer Commented Sep 29, 2018 at 21:33

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 3

Just created a project with serverless and it worked as expected.

The permissions are set in serverless.yml with only the grants required for execution of the code.

serverless.yml

service: poc-lambda-ssm

provider:
  name: aws
  runtime: nodejs8.10
  variableSyntax: "\\${((?!AWS)[ ~:a-zA-Z0-9._'\",\\-\\/\\(\\)]+?)}"
  iamRoleStatements:
  - Effect: Allow
    Action:
      - ssm:GetParameter
    Resource:
      - 'Fn::Join':
        - ':'
        - - 'arn:aws:ssm'
          - Ref: 'AWS::Region'
          - Ref: 'AWS::AccountId'
          - 'parameter/my-secure-param'
  - Effect: Allow
    Action:
      - kms:Decrypt
    Resource:
      - 'Fn::Join':
        - ':'
        - - 'arn:aws:kms'
          - Ref: 'AWS::Region'
          - Ref: 'AWS::AccountId'
          - 'key/alias/aws/ssm'

functions:
  hello_ssm:
    handler: handler.hello_ssm

handler.js

'use strict';

const AWS = require("aws-sdk")

AWS.config = {
    region:"us-east-1"
};

const ssm = new AWS.SSM({apiVersion: '2014-11-06'});

module.exports.hello_ssm = function(event, context, callback) {
  var params = {
    Name: 'my-secure-param', 
    WithDecryption: true 
  };

  ssm.getParameter(params, function(err, data) {
      if (err) callback(err);
      else callback(null,"my secure param is: "+data.Parameter.Value);          
  });
};

and created a parameter called my-secure-param in AWS System Manager with type SecureString.

You also might check my PoC Lambda SSM project. In this project I use serverless to develop lambda and it works invoking locally by using invoke local -f hello_ssm.