search

binxio / cfn-secret-provider

A CloudFormation custom resource provider for deploying secrets and keys
Apache License 2.0
141 stars 70 forks source link

CFN is returning SSMPutParameter Access denied #28

Closed vennemp closed 5 years ago

vennemp commented 5 years ago

I am running your CFN to create the key pair generating lambda function. I have made no edits to your code but I am getting an error.

Failed to create resource. An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::xxxxxxxxxx:assumed-role/Research3-LambdaRole-87IICXNLGUL3/binxio-cfn-secret-provider is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:xxxxxxxxx:parameter/app/Research3/demo/private-key

mvanholsteijn commented 5 years ago

Hi @vennemp, I suspect that you did not deploy using the cfn-resource-provider.yaml template. At line 25 it is granted the ssm:PutParameter action. Can you check the permissions associated with your lambda?

vennemp commented 5 years ago

I took the code and copied it into another template. It is creating the actual function. Just failing when it makes the call to create the private key.

These are the permissions associated with the lambda

LambdaPolicy:
    Type: AWS::IAM::Policy
    DependsOn:
      - LambdaRole
    Properties:
      PolicyName: CFNCustomSecretProviderPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - iam:CreateAccessKey
              - iam:DeleteAccessKey
              - iam:UpdateAccessKey
              - ssm:PutParameter
              - ssm:GetParameter
              - ssm:DeleteParameter
              - ec2:ImportKeyPair
              - ec2:DeleteKeyPair
              - secretsmanager:DeleteSecret
              - secretsmanager:CreateSecret
              - secretsmanager:UpdateSecret
            Effect: Allow
            Resource:
              - '*'
          - Action:
              - kms:Decrypt
            Effect: Allow
            Resource:
              - !GetAtt 'Key.Arn'
          - Action:
              - logs:*
            Effect: Allow
            Resource: arn:aws:logs:*:*:*
      Roles:
        - !Ref 'LambdaRole'
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
mvanholsteijn commented 5 years ago

@vennemp, It is a problem in your configuration.

This works:

git checkout https://github.com/binxio/cfn-secret-provider.git
cd cfn-secret-provider
make VERSION=1.0.0 deploy-provider
make demo
vennemp commented 5 years ago

I just ended up launching it as a nested stack and it worked fine that way.