stackoom
  简体   繁体   中英

AccessDeniedException when retrieving AWS Parameters from Lambda

 原文  2022-12-01 12:20:41       aws-lambda/ amazon-iam/ aws-lambda-layers

Question

I am attempting to access system parameters from a Lambda developed using C#

I have added the required lambda layer as per https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#ps-integration-lambda-extensions-sample-commands

The lambda execution role has the following in the IAM definition (???????? replacing actual account id) 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": "arn:aws:ssm:*:???????????:parameter/*"
        }
    ]
}

As per the AWS page reference above I made a HTTP GET request to http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1

This is failing with the following response

{
    "Version": "1.1",
    "Content": {
        "Headers": [
            {
                "Key": "Content-Type",
                "Value": [
                    "text/plain"
                ]
            },
            {
                "Key": "Content-Length",
                "Value": [
                    "31"
                ]
            }
        ]
    },
    "StatusCode": 401,
    "ReasonPhrase": "Unauthorized",
    "Headers": [
        {
            "Key": "X-Amzn-Errortype",
            "Value": [
                "AccessDeniedException"
            ]
        },
        {
            "Key": "Date",
            "Value": [
                "Thu, 01 Dec 2022 12:16:59 GMT"
            ]
        }
    ],
    "TrailingHeaders": [],
    "RequestMessage": {
        "Version": "1.1",
        "VersionPolicy": 0,
        "Content": null,
        "Method": {
            "Method": "GET"
        },
        "RequestUri": "http://localhost:2773/systemsmanager/parameters/get/?name=/ClinMod/SyncfusionKey&version=1",
        "Headers": [],
        "Properties": {},
        "Options": {}
    },
    "IsSuccessStatusCode": false
}

Any clues where I am going wrong?

1 answers

solution1
 0 ACCPTED  2022-12-02 23:33:21

After a discussion on an AWS forum, it looks like the issue was that I was not setting a required header of the HTTP GET request.

For this to work, it needs the X-Aws-Parameters-Secrets-Token header set with the AWS_SESSION_TOKEN.

Once I did this it worked fine.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Getting AccessDeniedException from Lambda function when calling AWS SSO Permission set AccessDeniedException when deploying the lambda function I want to pass parameters in aws Lambda while invoking from cli Using, in a aws LAMBDA, parameters of axios Run a YAML SSM Run Document from AWS Lambda with Parameters Permission denied when calling AWS Lambda function from AWS CodePipeline AWS StateMachine AccessDeniedException in step: CleanUpOnError AWS timestream-write gets "An error occurred (AccessDeniedException) when calling the DescribeEndpoints operation: This operation is not allowed." How to pass s3 object names getting from the lambda events as a parameters to the AWS Glue Workflow How can I restrict specific parameters in payload from API Gateway to AWS Lambda?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM