0

I've got an issue where a Cognito-authenticated user seems to have the correct permissions to interact with SSM, but all calls to SSM are being rejected. Here's what my policy looks like:

Cognito Role

Of course in a production environment we won't have open permissions like that and certainly won't have the Administrator policy attached, but this was to test as well as make the point that we really can't authenticate here.

I should add that we can access our dynamodb resources using tha policy with no issues, it's just SSM giving us trouble. We're getting error messages similar to this:

AccessDeniedException: User: arn:aws:sts::ACCOUNTID:assumed-role/COGNITOROLE is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:ACCOUNTID:parameter/

where I've replaced the account number and role name. Does anyone know what I'm doing wrong? Thanks a ton in advance.

Matt Martinez
  • 41
  • 7
  • To be clear, you can do this while AdministratorAccess is attached, correct? Also does the role that you replaced with COGNITOROLE exactly match the name of the IAM role given? ā€“ Joey Kilpatrick Sep 18 '19 at 03:57
  • Good questions and thanks for responding. No, I get access denied even with administrator access attached. And the role name does match. ā€“ Matt Martinez Sep 18 '19 at 11:17
  • I wish I could help more, but without directly testing this, Iā€™m not sure what the problem could be. ā€“ Joey Kilpatrick Sep 19 '19 at 02:23

0 Answers0