Chamber reads the SSM parameter /_chamber/store-config on write
- Create an IAM policy that scopes
ssm:GetParameter* to a specific service path:
{
"Statement": [
{
"Effect": "Allow",
"Action": ["ssm:GetParameter*"],
"Resource": "arn:aws:ssm:eu-west-1:ACCOUNT_ID:parameter/my-service/*"
}
]
}
- run
chamber write my-service TEST_KEY "hello"
Expected Behavior
The command succeeds, or the documentation explicitly lists /_chamber/store-config as a required accessible path.
Actual Behavior
Error: operation error SSM: GetParameters, https response error StatusCode: 400,
api error AccessDeniedException: User: arn:aws:iam::ACCOUNT_ID:user/USERNAME is not
authorized to perform: ssm:GetParameters on resource:
arn:aws:ssm:eu-west-1:ACCOUNT_ID:parameter/_chamber/store-config because no
identity-based policy allows the ssm:GetParameters action
Chamber reads the SSM parameter
/_chamber/store-configon writessm:GetParameter*to a specific service path:{ "Statement": [ { "Effect": "Allow", "Action": ["ssm:GetParameter*"], "Resource": "arn:aws:ssm:eu-west-1:ACCOUNT_ID:parameter/my-service/*" } ] }chamber write my-service TEST_KEY "hello"Expected Behavior
The command succeeds, or the documentation explicitly lists /_chamber/store-config as a required accessible path.
Actual Behavior