ssm:GetParameter AccessDeniedException

[Upgreydd]

At 5.12.0 version something is wrong with runner-ssm-parameters. After removing below condition all works, but I guess it's not desired way.

            "Condition": {
                "StringLike": {
                    "ec2:SourceInstanceARN": "*/${aws:ResourceTag/InstanceId}"
                }
            },

Error is:

<13>Jul  1 15:41:27 user-data: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::account_id:assumed-role/my-ghr-ubuntu-runner-role/i-02acXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-south-1:account_id:parameter/github-action-runners/my-ghr/ubuntu/runners/tokens/i-02acXXXXXXXX because no identity-based policy allows the ssm:GetParameter action
<13>Jul  1 15:41:27 user-data: Waiting for GH Runner config to become available in AWS SSM

[EDIT] OK, looks like lambdas are not updated while deploying updated code. module "multi-runner" parameters:

  lambda_s3_bucket      = var.s3_bucket_name
  webhook_lambda_s3_key = "lambdas/webhook.zip"
  syncer_lambda_s3_key  = "lambdas/runner-binaries-syncer.zip"
  runners_lambda_s3_key = "lambdas/runners.zip"

doesn't force new lambda deployment while zip files are updated.

[npalm]

Lambda updates are forced based on source code has. Which means each time your rebuild the lambda a deployment is triggered. As far we aware this is working correctly. We use this during development often. Our prod deployments are depending on zip files (versioned in s3).