AccessDeniedException: Cognito_tpnpoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: ssm:GetParameter on resource

Question

Lambda function get the password from SSM Password store but encounter this error. Already set up the policy on both lambda role and cognito role. ssm:Describeparameters ssm:Getparameter sts:assumerole

*{ AccessDeniedException: User: arn:aws:sts::000008109xxx:assumed-role/Cognito_tpnpoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-southeast-1 :000008109xxx:parameter/TPN_SFX_P01_Pass at Request.extractError (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\protocol\json.js:48:27) at Request.callListeners (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\sequential_executor.js:105:20) at Request.emit (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\sequential_executor.js:77:10) at Request.emit (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\request.js:683:14) at Request.transition (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\request.js:22:10) at AcceptorStateMachine.runTo (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\state_machine.js:14:12) at D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\state_machine.js:26:10 at Request. (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\request.js:38:9) at Request. (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\request.js:685:12) at Request.callListeners (D:\Work\Amazon\BillingAggregator\billing-file-sender\node_modules\aws-sdk\lib\sequential_executor.js:115:18) message: 'User: arn:aws:sts::000008109xxx:assumed-role/Cognito_tpnpoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-southeast-1:000008109xxx :parameter/xxx_SFX_P01_Pass', code: 'AccessDeniedException', time: 2018-08-03T07:17:50.976Z, requestId: 'cec59419-24cd-427e-99dc-b1f3495f0ceb', statusCode: 400, retryable: false, *