lambda error while trying to remove parameters

1
votes

I used this article to create my stack.

https://aws.amazon.com/blogs/infrastructure-and-automation/scheduling-automatic-deletion-of-aws-cloudformation-stacks/

But getting an error:

User: arn:aws:sts::xxx:assumed-role/deleteCurrent-DeleteAfter-DeleteCFNLambdaExecution-T1WHQG2UTLWM/DeleteCFNLambda-deleteCurrent is not authorized to perform: ssm:DeleteParameter on resource: arn:aws:ssm:us-east-1:xxx:parameter/CFN-DemoParameter-plOl5Hg4QuI5 (Service: AmazonSSM; Status Code: 400; Error Code: AccessDeniedException;

The template can be viewed here...

https://datameetgeobk.s3.amazonaws.com/cftemplates/delete_after_5m.template

Any suggestion to correct the error will be appreciated.

1
amazon-cloudformation
Are you sure that the error is from the delete_after_5m.template? It does not seem like as I don't see any call to delete any ssm parameter.Marcin
Another nested template that tries to remove this template does not has permission to do so. datameetgeobk.s3.amazonaws.com/cftemplates/…shantanuo

1 Answers

1
votes

The error says that your lambda execution role does not have permissions to execute ssm:DeleteParameter role. Thus you can add the missing permission to the lambda role:

Resources:
  DeleteCFNLambdaExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: "Allow"
          Principal:
            Service: ["lambda.amazonaws.com"]
          Action: "sts:AssumeRole"
      Path: "/"
      Policies:
      - PolicyName: "lambda_policy"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: "Allow"
            Action:
            - "logs:CreateLogGroup"
            - "logs:CreateLogStream"
            - "logs:PutLogEvents"
            Resource: "arn:aws:logs:*:*:*"
          - Effect: "Allow"
            Action:
            - "cloudformation:DeleteStack"
            Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${StackName}/*"
          - Effect: "Allow"
            Action:
            - "ssm:DeleteParameter"
            Resource: "*"