aws-ssm-send-command icon indicating copy to clipboard operation
aws-ssm-send-command copied to clipboard

Published 20 hours ago verified publisher icon peterkimzz

Not authorized to run SendCommand in Document

Open andrzpg12 opened this issue 3 years ago • 0 comments

Describe the bug Able to run ssm:SendCommand

To Reproduce Add a policy in the IAM user with ssm:SendCommand and with document AWS-RunShellScript

Expected behavior Run the send Command with no access denied.

I know that is "recommended" to attach the SSMFullAccess permissions to the IAM user but i think that is not safe. Is better to restrict only the permissions required to this.

This is the error i got even when i put an IAM policy to my IAM user:

AccessDeniedException: User: arn:aws:iam::405378491277:user/github-actions-mci is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:***::document/AWS-RunShellScript
    at Request.extractError (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/home/runner/work/_actions/peterkimzz/aws-ssm-send-command/v1.1.1/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  message: 'User: arn:aws:iam::*********:user/github-***** is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:***::document/AWS-RunShellScript',
  code: 'AccessDeniedException',
  time: 2021-06-15T17:19:51.783Z,
  requestId: '51866eec-5db2-4eec-99ef-7c931e584858',
  statusCode: 400,
  retryable: false,
  retryDelay: 22.369716692908348

Here is my policy attached to the IAM user

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ec2:*:***********:instance/*", "arn:aws:ssm:us-east-1:**********:document/AWS-RunShellScript" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": "arn:aws:ssm:*:*********:managed-instance/*" } ] }

So, i allowed permissions to run ssm:SendCommand in the document AWS-RunShellScript in my account. Is this repo using another document version in another AWS account? This policy should work and not use a SSMFullAccess permission.

andrzpg12 avatar Jun 15 '21 17:06 andrzpg12