AWS Systems Manager (SSM) Parameter Store provides a centralized and secure storage solution for managing your configuration data, secrets, and application settings. One of the key operations you might perform when working with SSM Parameter Store is retrieving the value of a parameter. In this article, we’ll demonstrate how to create an AWS Identity and Access Management (IAM) policy that grants access to the ssm:GetParameter action, allowing you to securely retrieve parameter values.
Creating IAM Policy to Allow ssm:GetParameter
To create an AWS Identity and Access Management (IAM) policy that allows the ssm:GetParameter action, you need to specify the required permissions in a JSON document. Here’s an example of a policy that grants access to the ssm:GetParameter action:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/RESOURCE_NAME"
}
]
}
Replace the following placeholders with your actual values:
- REGION: Replace with the region where your SSM parameter is located, e.g., “us-west-2”.
- ACCOUNT_ID: Replace with your AWS account ID, e.g., “123456789012”.
- RESOURCE_NAME: Replace with the name of the SSM parameter you want to grant access to, e.g., “my_parameter”.
If you want to grant access to all SSM parameters in your account, you can use a wildcard (*) for the resource name:
"Resource": "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/*"
You can also use the AWS Management Console to create a custom IAM policy:
- Open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose “Policies”, and then choose “Create policy”.
- Choose the “JSON” tab and paste the JSON policy document.
- Review and modify the policy as necessary, and then choose “Next: Tags”.
- (Optional) Add any tags you need, and then choose “Next: Review”.
- For “Name”, enter a unique name for the policy, and then choose “Create policy”.
Conclusion
In this article, we’ve shown you how to create an IAM policy that grants access to the ssm:GetParameter action, that allows users to retrieve parameter values from the AWS Systems Manager Parameter Store. By following the above steps, you can ensure that your applications and users have the necessary permissions to securely access the parameters they need. Remember to customize the policy according to your specific requirements, such as limiting access to specific parameters or regions, to maintain the desired level of security and control.