StackSetCodeBuildRole can't access SSM Parameter

[jo-koe]

Describe the bug The control-tower-customizations-StackSetCodeBuildRole can't access SSM parameters which results in the following error message in Custom-Control-Tower-StackSet-CodeBuild job:

{"time_stamp": "2022-04-25 09:02:28,752","log_level": "ERROR","log_message": Unhandled Exception: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::***:assumed-role/control-tower-customizations-StackSetCodeBuildRole-1242N75A69QBP/AWSCodeBuild-caea29a1-d2df-49ff-8690-bb7a89917db8 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:***:* because no identity-based policy allows the ssm:GetParameter action}

The policy Custom-Control-Tower-StackSet-CodeBuild-Policy-SSM attached to the role looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:GetParameter",
                "ssm:PutParameter",
                "ssm:GetParametersByPath"
            ],
            "Resource": "arn:aws:ssm:eu-central-1:***:parameter/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

If we remove parameter/ from the resource it works!

To Reproduce Use a parameter from SSM in manifest.yaml.

Expected behavior No error.

Please complete the following information about the solution:

• [x] Version: v2.3.0
• [x] Region: all
• [x] Was the solution modified from the version published on this repository? No!
• [x] If the answer to the previous question was yes, are the changes available on GitHub? No!
• [x] Have you checked your service quotas for the sevices this solution uses? Yes!
• [x] Were there any errors in the CloudWatch Logs? See above!

Screenshots N/A

Additional context N/A

[balltrev]

@jo-koe can you give us a copy of your manifest.yml, scrubbing any sensitive data? It would help us reproduce this error. Thanks!

[jo-koe]

Here you go (very much simplified):

manifest.yaml:

---
region: eu-central-1
version: 2021-03-15

resources:
  - name: TestSsm
    resource_file: templates/test.yaml
    parameter_file: parameters/test.json
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - Management

parameters/test.json:

[
    {
        "ParameterKey": "TestSsmParameter",
        "ParameterValue": "$[alfred_ssm_/cloud-landing-zone/test]"
    }
]

[balltrev]

Thanks for the extra info here! I am actually unable to reproduce this bug, the SSM integration works the test environment, and updates the CFN parameter accordingly using the value stored in SSM. I would suggest you reach out to AWS Premium Support to dive deeper into your deployment and why your CodeBuild role needed modification to function as expected.

[schwinbp]

Not sure if this is related or not, but I am getting this error trying to set the SSM Params from Manifest.

Account ###### should have 'AWSControlTowerExecution' role with trust relationship to Role 'service-role/AWSControlTowerStackSetRole'.

[balltrev]

@schwinbp typically that is a StackSet deployment error due to IAM permissions issues. I would recommend either opening a new issue here if there's an issue with CfCT, but for troubleshooting your deployment/environment, I'd recommend reaching out to AWS Premium Support as well.

[stumins]

@jo-koe I'm going to close this issue due to inactivity, but please feel free to open new issues if you have additional problems.

[camtauxe]

I've seen this permission error as well. In my case, it occurred because the SSM parameter it was looking for did not exist.

The reason it did not exist was a side-effect of #25. I had changed the name of a parameter in the manifest, but the update did not take, so the parameter was never actually renamed in SSM.