ssm:GetParameter AccessDeniedException

[Upgreydd]

At 5.12.0 version something is wrong with runner-ssm-parameters. After removing below condition all works, but I guess it's not desired way.

            "Condition": {
                "StringLike": {
                    "ec2:SourceInstanceARN": "*/${aws:ResourceTag/InstanceId}"
                }
            },

Error is:

<13>Jul  1 15:41:27 user-data: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::account_id:assumed-role/my-ghr-ubuntu-runner-role/i-02acXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-south-1:account_id:parameter/github-action-runners/my-ghr/ubuntu/runners/tokens/i-02acXXXXXXXX because no identity-based policy allows the ssm:GetParameter action
<13>Jul  1 15:41:27 user-data: Waiting for GH Runner config to become available in AWS SSM

[EDIT] OK, looks like lambdas are not updated while deploying updated code. module "multi-runner" parameters:

  lambda_s3_bucket      = var.s3_bucket_name
  webhook_lambda_s3_key = "lambdas/webhook.zip"
  syncer_lambda_s3_key  = "lambdas/runner-binaries-syncer.zip"
  runners_lambda_s3_key = "lambdas/runners.zip"

doesn't force new lambda deployment while zip files are updated.

[npalm]

Lambda updates are forced based on source code has. Which means each time your rebuild the lambda a deployment is triggered. As far we aware this is working correctly. We use this during development often. Our prod deployments are depending on zip files (versioned in s3).

[iterion]

I also recently experienced this. I had to delete my lambdas for them to load the latest code from S3. Possible I have something misconfigured though.

[npalm]

Ensure you deploy always the matching lambda's with an update the terraform module.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.