Fork me on GitHub
#datomic
<
2018-10-25
>
joshkh09:10:50

bump from yesterday - any clues regarding ion lambda access to SSM? i see ion/get-params used in the datomic/ion-event-example project. i ended up adding a full SSM policy to our [compute-group]-DatomicLambdaRole (the execution role for the lambda) with no luck. the lambda returns User: is not authorized to perform: ssm:GetParametersByPath on resource: .... any help is much appreciated. 🙂

steveb8n10:10:18

I can maybe help. I’ve got a node.js lambda reading SSM parameters. here’s the IAM perms that were required

steveb8n10:10:40

{ “PolicyName”: “root”, “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “logs:CreateLogGroup”, “logs:CreateLogStream”, “logs:PutLogEvents” ], “Effect”: “Allow”, “Resource”: “*” }, { “Effect”: “Allow”, “Action”: [ “ssm:GetParameter”, “ssm:GetParameters” ], “Resource”: { “Fn::Join”: [ “”, [ “arn:aws:ssm:“, { “Ref”: “AWS::Region” }, “:”, { “Ref”: “AWS::AccountId” }, “:parameter/“, { “Ref”: “Application” }, “-*” ] ] } } ] } }

steveb8n10:10:48

in other words, try the two action in that JSON for your IAM role

marshall11:10:55

Josh, as mentioned here: https://docs.datomic.com/cloud/ions/ions-reference.html#parameters-example there is a default datomic-shared parameter store that is readable by allDatomic nodes

marshall11:10:14

any additional parameter stores would require you to setup your own IAM permissions

grzm22:10:28

@U0510KXTU For an additional anecdatapoint: we've currently handled this with full read access (we're using application-specific config outside of datomic-shared), but are looking to whittle it down from there.

joshkh12:10:10

thanks! just returning to say that /datomic-shared/ did in fact work out of the box, and the policy suggestion was really useful.