Search code examples
amazon-web-servicesaws-lambdaamazon-iam

How to grant ssm:GetParameter permission to an IAM role in AWS


I am trying to access a parameter in the Parameter Store from an AWS Lambda Function. According to the documentation, I need the GetParameter permission, but can't seem to find it.

The AWS Identity and Access Management (IAM) role used to run the function must have the following permissions to interact with Parameter Store:
ssm:GetParameter – Required to retrieve parameters from Parameter Store

I go to IAM > Roles and select the role. Click "add permissions - attach policies" and then search for "getparameter" and find nothing.


Solution

  • The issue is that ssm:GetParameter is a specific permission rather than a standalone policy (a Policy has one or many permissions, with Allow or Deny Effects). This means you won’t find it directly when searching among AWS managed policies in the “Attach Policy” interface.

    Here’s how you can solve this out:

    Create a Custom Inline Policy for the Role to grant ssm:GetParameter explicitly to the IAM role associated with your Lambda function:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ssm:GetParameter",
                "Resource": "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/YOUR_PARAMETER_NAME"
            }
        ]
    }
    

    Or if you want to add an AWS predefine policy, you can search for AmazonSSMReadOnlyAccess Managed Policy and add it