Random Musings

Sporadic thoughts on tech, economics, business, finance and trading

Error: reading SSM Parameter

, ,

I was trying to run a Terraform script against my free tier AWS account.

  • I created an IAM user
  • I generated a key and secret and

then issued the terraform plan command from my local machine:

PS C:\ProgramFiles\terraform\Getting-Started-Terraform\globo_web_app> terraform plan -out m3.tfplan

Received the below error:

Error: reading SSM Parameter (/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2): operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: 80e64eb4-9cb4-4c15-b608-92b4f00e9876, api error AccessDeniedException: User: arn:aws:iam::590183791234:user/terraform-user is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 because no identity-based policy allows the ssm:GetParameter action

│ with data.aws_ssm_parameter.amzn2_linux,
│ on main.tf line 15, in data "aws_ssm_parameter" "amzn2_linux":
│ 15: data "aws_ssm_parameter" "amzn2_linux" {

It turned out I had to attach the AmazonSSMReadOnlyAccess policy as below:

1. Navigate to the IAM Management Console

2. Locate the IAM Entity

  • Click on Users, Roles, or Groups depending on the IAM entity you need to attach the policy to:
    • If Terraform is using an Access Key, look for the IAM User.
    • If Terraform is assuming a Role, look for that specific Role.

3. Attach the Policy

Option A: Attach an AWS Managed Policy

If you’re attaching a predefined AWS policy, such as AmazonSSMReadOnlyAccess (which includes ssm:GetParameter), follow these steps:

  1. Select the user, role, or group.
  2. Go to the Permissions tab.
  3. Click Add permissions > Attach policies directly.
  4. Search for AmazonSSMReadOnlyAccess and check the box next to it.
  5. Click Next, review the selection, and then click Add permissions.

Option B: Attach a Custom Inline Policy

If you need a more specific policy (e.g., only ssm:GetParameter), follow these steps:

  1. Select the user, role, or group.
  2. Go to the Permissions tab.
  3. Click Add permissions > Create inline policy.
  4. In the Visual editor, select the following:
    • Service: SSM.
    • Actions: Check GetParameter.
    • Resources: Select Specific and provide the ARN of the parameters (e.g., arn:aws:ssm:region:account-id:parameter/my-app-config) or leave as All resources if required.
  5. Click Review policy.
  6. Provide a policy name (e.g., SSMGetParameterPolicy) and click Create policy.

4. Verify the Policy Attachment

  • Ensure the new policy appears under the Permissions tab of the selected IAM entity.
  • Verify the policy allows the required action.

5. Test the Permissions

  • Retry running your Terraform command (terraform plan) to ensure the issue is resolved.

P