Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operation Error: ssm:GetParameter #724

Closed
tommyboylab opened this issue Jul 19, 2024 · 2 comments
Closed

Operation Error: ssm:GetParameter #724

tommyboylab opened this issue Jul 19, 2024 · 2 comments
Assignees
@thdxr

Comments

@tommyboylab
Copy link

I'm trying to migrate a sst@v2 project to ion and am encountering permission errors when trying to run sst dev.

I understand that there are a lot of changes from v2 to v3 and I am trying to understand what I need to do to deploy the updated application; since in V2 everything was able to bootstrap correctly and start.

Here is the error provided running the action:

operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: , api error AccessDeniedException: User: arn:aws:iam:::user/deployer is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-2::parameter/sst/bootstrap because no identity-based policy allows the ssm:GetParameter action

Thank you for any help you can provide.

Here is sst.config.ts

export default $config({
  app(input) {
    return {
      name: "dashboard",
      removal: input?.stage === "production" ? "retain" : "remove",
      profile: input?.stage === "production" ? "production" : "default",
      home: "aws",
      providers: {
        aws: {
          region: "eu-central-2",
        }
      }
    };
  },
  async run() {
    new sst.aws.Nextjs("model-dashboard", {
      permissions: [     {       actions: ["*"],       resources: ["*"]     },   ]
    });
  },
});
@thdxr Linear
Copy link
Contributor

thdxr commented Jul 19, 2024

sst ion needs to be able to read/write to SSM paramter store to create some variables it needs for tracking things

@thdxr thdxr self-assigned this Jul 19, 2024
@tommyboylab
Copy link
Author

Thank you for the information, I have adjusted the IAM Parameters of the User and have been able to bypass this error.

For someone else who might find similar permission errors, the link here has all information regarding the permissions required for SST.

One issue I encountered was the permissions I tried adding by policy would still not allow me to deploy, so I needed to place an inline policy for the SSM Params as such to the user I am using. This can probably be simplified, but right now it's working as expected.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"ssm:DeleteParameter",
				"ssm:GetParameter",
				"ssm:GetParameters",
				"ssm:PutParameter"
			],
			"Resource": "arn:aws:ssm:REGION:USER:parameter/sst/*",
			"Effect": "Allow"
		}
	]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thdxr thdxr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thdxr @tommyboylab