Grant AWS Lambda Access to SSM Parameter Store


Borislav Hadzhiev

Last updated: Sep 28, 2021


Photo from Unsplash

Grant AWS Lambda Access to SSM Parameter Store #

In order to grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the SSM parameter.

For example, the following policy grants permissions for the most commonly used Parameter Store actions on a specific parameter.

The policy applies to a specific parameter, therefore make sure to replace the YOUR_* placeholders in the Resource element with the real values.
If your function needs to access multiple parameters, add multiple values in the Resource list or just add * which means your function has access to all of the parameters in the account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DeleteParameters" ], "Resource": [ "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH" ] } ] }

The Resource element should look something like: arn:aws:ssm:us-east-1:123456789:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH once the real values are in place.

Note that if your parameter has a leading slash in the name, e.g. /my-app/dev/db-url it should be omitted when specifying the name in the Resource element of the IAM policy - my-app/dev/db-url.

The actions your lambda function needs to perform on the SSM parameter are use case dependent.

You could set "ssm:*" for the Action element in the policy to grant full parameter store access to the lambda function.

You could also set the Resource element to be *, which means the function can access all SSM parameters in the account.

However, it's best practice to grant an entity the least permissions that get the job done.

You can view a full list of the Parameter Store Actions in the Systems Manager actions table.

There is a Description column, which explains what each action does.

To attach a policy to the lambda function's execution role, you have to:

  1. Open the AWS Lambda console and click on your function's name
  2. Click on the Configuration tab and then click Permissions

click on function role

  1. Click on the function's role
  2. Click on Add permissions and then click Create inline policy

create inline policy

  1. In the JSON editor paste the following policy.
Replace the YOUR_* placeholders and adjust the Actions your lambda function needs to execute.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DeleteParameters" ], "Resource": [ "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH" ] } ] }
  1. Click Review Policy and give your policy a name, then click Create policy

At this point the lambda function's role has been extended with a policy that grants access to some Parameter Store actions on a specific parameter.

If your Lambda function needs to access multiple SSM parameters, pass multiple ARN values to the Resource element of the policy, or set the Resource to *.
It can take up to a minute until the IAM changes have been propagated and the policy is in effect.

Invoke your lambda function and verify whether it has access to the SSM parameter.

If your function is still unable to access the SSM parameter, try to increase the function's timeout by a second in the AWS console or simply add an extra print statement in the code and click the Deploy button.

If your lambda function still does not have access to the parameter, expand the IAM policy you added to the function's role and edit it to look like the policy below.

edit policy

Replace the YOUR_* placeholders with real values.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:*" ], "Resource": [ "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH" ] } ] }

The IAM policy above grants full access to an SSM parameter. Your lambda function will be able to execute all Parameter store actions on the parameter.

It's best practice to grant the least possible permissions that enable you to get the job done, however the * symbol is useful when debugging.

After you've updated the policy, try to invoke your lambda function again, it should have permissions to execute any action on the SSM parameter.

After you verify which actions your lambda needs to run, you can make the IAM policy less permissive.

Note that a policy statement with a Deny effect will always override any Allow statements.

Further Reading #

I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.