Runners can't read SSM token on 5.11

[claytonolley]

As of the new 5.11 update I'm now getting this error when starting runners. I believe it's due to the new condition put in place here - https://github.com/philips-labs/terraform-aws-github-runner/pull/3918/files#diff-4ed6d610eac069d3c24e362fd06f0ceddb2fafbd9bb34572a10708c083b91e96R12-R16

An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::**********:assumed-role/dev-runner-role/i-********** is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-2:**********:parameter/github-action-runners/dev/runners/tokens/i-*********** because no identity-based policy allows the ssm:GetParameter action

When I manually remove the condition from the inline policy, runners work correctly. I'm going to revert to 5.10 for the time being.

[npalm]

Thx for reporting. I have tested 5.11 with the following scenarios

• default example
• multi runner
• default example + pool
• our own staging environment

The all work fine and the runners are getting the registration token?

[npalm]

Please can you double check you also updated the lambda functions. The control plane one contains a change. Without this change the new policy is not working since the tag is not set.

Here some steps to debug

• update to 5.11
• trigger a new job
• check the token in SSM contains the tag of the instance, if not you most likely on an older version of the lambda

In case you still have the issue, please can you share more details about your configuration.

[claytonolley]

My sincere apologies, I had not updated the lambdas. I'm pretty new to using this module so I will definitely note this for the future. Many thanks for sharing this solution!

[tetienne-zenchef]

@npalm I was tricked also by this, despite the fact I read the changelog. What do you think about adding a warning into the release not when there is such strong dependency for a new feature?