Search code examples
amazon-web-servicesaws-cloudformationamazon-iamamazon-systems-manager

CloudFormation unable to access SSM parameters in template despite policy


I am attempting to deploy a CloudFormation template that pulls in some parameters from SSM using the method described in this blog-post: https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/

The relevant excerpt from the Parameters section of the CF template is:

"ZoneName" : {
   "Type" : "AWS::SSM::Parameter::Value<String>",
   "Description" : "DNS Hostname Zone",
   "Default" : "/Deimos/ZoneName"
},
"ZoneId" : {
   "Type" : "AWS::SSM::Parameter::Value<String>",
   "Description" : "DNS Hostname Zone",
   "Default" : "/Deimos/ZoneId"
},

However, I'm getting the following error when I attempt to deploy it (via CodePipeline):

Action execution failed
AccessDenied. User doesn't have permission to call ssm:GetParameters (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: d6756fbe-fd41-4ac5-93bd-56e5b397445e)

I've got a Role and Policy setup for CloudFormation that includes the following section to grant access to some parameter namespaces within SSM:

    {
        "Sid": "XonoticCFFetchParameters",
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters",
            "ssm:GetParameter"
        ],
        "Resource": [
            "arn:aws:ssm:*:<aws account #>:parameter/Deimos/*",
            "arn:aws:ssm:*:<aws account #>:parameter/Installers/*",
            "arn:aws:ssm:*:<aws account #>:parameter/Xonotic/*"
        ]
    },

These seem to have been applied just fine, based on the use of

aws iam simulate-principal-policy --policy-source-arn "arn:aws:iam::<aws account #>:role/Xonotic-CloudFormationDeploy" --action-names "ssm:getParameters" --resource-arns "arn:aws:ssm:*:<aws account #>:parameter/Deimos/ZoneName"
{
    "EvaluationResults": [
        {
            "EvalActionName": "ssm:getParameters",
            "EvalResourceName": "arn:aws:ssm:*:<aws account #>:parameter/Deimos/ZoneName",
            "EvalDecision": "allowed",
            "MatchedStatements": [
                {
                    "SourcePolicyId": "Xonotic-Deployment",
                    "StartPosition": {
                        "Line": 3,
                        "Column": 19
                    },
                    "EndPosition": {
                        "Line": 16,
                        "Column": 10
                    }
                }
            ],
            "MissingContextValues": []
        }
    ]
}

So, the Role I'm using should have the access needed to fetch the parameter in question, but it's not working and I'm out of things to check.


Solution

  • Ok - so in this case it turns out there was a JSON parameters file that was part of the build pipeline that was overriding one of my parameters with an invalid value (it was putting the actual zone name in ZoneName).

    Fixed that and parameters are now being passed to my build process just fine.