Inaccurate error message when attempting to retrieve a cross-account parameter
I wrote this some time again…and I’m unsure if it’s correct or not. I didn’t publish it so perhaps there’s an issue with this put up. Possibly there’s not. I don’t bear in mind however I’m publishing it anyway in case it helps somebody. Possibly I’ll have time to revisit it later. Proper.
— — — — — — — — —
I wrote about how I’m utilizing parameters cross-account so I can construct assets in a single account, deploy them from a second account, into a 3rd account.
I would like the construct account to have the ability to learn the parameters within the AMI account like the newest AMI ID to make use of when deploying assets to a 3rd account.
In an effort to obtain that, I needed to grant entry to the account that builds and deploys the assets in my cloud setting. I wished to permit that account to learn all of the parameters required for constructing AMIs in my ami-builder account. So I created this coverage pulled of a pattern web page:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Useful resource": "*"
},
{
"Impact": "Permit",
"Motion": [
"ssm:GetParameters"
],
"Useful resource": "arn:aws:ssm:[region]:[AMI-builder-account-number-here]:parameter/*"
}
]
}
When I attempt to retrieve a parameter with a particular title like this:
aws ssm get-parameter --name ami-builder-parameter
I get this error which isn’t correct:
An error occurred (ParameterNotFound) when calling the GetParameter operation:
The parameter does exist. The issue is that there are two totally different instructions to get parameters. Why it may well’t be one command that optionally takes an array of parameters or doesn’t, I don’t actually perceive. However anyway, I additionally wanted so as to add this to my coverage so I can get the worth of 1 parameter by title:
"ssm:DescribeParameters"
So my coverage now seems to be like this:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Useful resource": "*"
},
{
"Impact": "Permit",
"Motion": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Useful resource": "arn:aws:ssm:[region]:[AMI-builder-account-number-here]:parameter/*"
}
]
}
This may journey up somebody newer to AWS.
Repair: The error message ought to report entry denied to caller-identity [x] to carry out motion [y].
If this helped you otherwise you had this drawback, please clap!
Teri Radichel — Comply with me @teriradichel on Twitter
© 2nd Sight Lab 2022
____________________________________________
About this weblog:
Need to study extra about Cybersecurity and Cloud Safety? Take a look at: Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, displays, and podcasts