Not authorized to perform: ssm:GetParameters

June 17, 2019
web

While working on setting up AWS CodeBuild to run Fixinator to scan for CFML Security Vulnerabilities upon commit, I was running into a snag. I setup an Environment Variable for the Fixinator API key as a Parameter so I it could be stored securely (encrypted at REST and protected from build log output). I kept getting an error like:

Phase context status code: Decrypted Variables Error Message: AccessDeniedException: User: arn:aws:sts::1234567890:assumed-role/CodeStarWorker-projectname-ToolChain/AWSCodeBuild-abcd123-1234-1234-abcd-abc123abc is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:us-east-1:1234567890:parameter/CodeBuild/FIXINATOR_API_KEY

I did in fact attach a policy such as this to the IAM Role that AWS CodeBuild assumes when it invokes the build:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SSMFixinatorAPIKeyPolicy",
            "Effect": "Allow",
            "Action": "ssm:GetParameters",
            "Resource": "arn:aws:ssm:us-east-1:1234567890:parameter/CodeBuild/FIXINATOR_API_KEY"
        }
    ]
}

Still getting the same error, my next thought was, since this Parameter was stored as a SecureString - I also need to give kms:decrypt permission, maybe it was just a misleading error message. So I added:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SSMFixinatorAPIKeyPolicy",
            "Effect": "Allow",
            "Action": "ssm:GetParameters",
            "Resource": "arn:aws:ssm:us-east-1:1234567890:parameter/CodeBuild/FIXINATOR_API_KEY"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:1234567890:key/CMK"
            ]
        }
    ]
}

Which gave the account CMK (Customer Master Key) permission to decrypt the key, but still same error.

Ah ha...

Then I noticed that the IAM Role I was using had a Permission Boundary setup! The role and CodeBuild pipeline I was using was initially setup by AWS CodeStar, which had created the permission boundary when it setup the project. Here is a section of the Boundary:

{
            "Sid": "5",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ssm:ResourceTag/awscodestar:projectArn": [
                        "arn:aws:codestar:us-east-1:1234567890:project/project-name"
                    ]
                }
            }
        },

The permission boundary is only allowing ssm:GetParameters when the parameter is tagged with a tag named: awscodestar:projectArn and a value: arn:aws:codestar:us-east-1:1234567890:project/project-name

The permission boundary does not grant any access, so you still need to have a policy that allows access to ssm:GetParameters.

It is a good lesson, if you are running into permissions issues to check if any permission boundaries are setup, they do their job.



1 person found this page useful, what do you think?

Post a Comment




  




Recent Entries



foundeo


did you hack my cf?