amazon-web-services aws-lambda aws-serverless aws-sam-cli serverless-application-model

AWS SAM managed policy for SSM get parameter

Is there any managed policy similar to DynamoDBReadPolicy for the ssm:GetParameter* permission for a Lambda function? I'm using aws-sam-cli and trying to follow this, but when I try to fetch the parameters when using sam local start-api, I get the following error:

InvalidAction: The action or operation requested is invalid. Verify that the action is typed correctly.

Here is the snippet where I try to get the parameter:

const ssm = new AWS.SSM();
const param = {
    Name: "param1",
    WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();

The relevant template sections are below. Thanks!

KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: 'param1Key'
      TargetKeyId: !Ref Key
Key:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Id: default
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
          - 'kms:Create*'
          - 'kms:Encrypt'
          - 'kms:Describe*'
          - 'kms:Enable*'
          - 'kms:List*'
          - 'kms:Put*'
          - 'kms:Update*'
          - 'kms:Revoke*'
          - 'kms:Disable*'
          - 'kms:Get*'
          - 'kms:Delete*'
          - 'kms:ScheduleKeyDeletion'
          - 'kms:CancelKeyDeletion'
          Resource: '*'
          Sid: Allow root account all permissions except to decrypt the key
        Version: 2012-10-17

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      # I think I need the ssm policy here

Solution

The available SAM policy templates are listed in their Github repository. None of these policy templates grants permissions for any SSM operation, so you can't use a SAM policy template to grant your AWS Lambda function access to SSM parameters as of now.

What you can do as a workaround is to manually add the required policy statement inline to your policies. That would look like:

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      - Statement:
        - Action:
            - ssm:GetParameter
          Effect: Allow
          Resource: arn:aws:ssm:region:account-id:parameter/parameter_name

You should also consider opening a pull request for adding a policy template for SSM parameter access to SAM, as such a template would of course be a more convenient way to express such permissions. From my experience the developers are very friendly and always welcome such additions.

Update: There is a SSMParameterReadPolicy now available in AWS SAM, so instead of using the workaround you can now simply do:

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      - SSMParameterReadPolicy:
          ParameterName: parameter_name