AWS SSM Parameter Store IAM Policy for restricting by Path and Tag

I wanted to restrict access to some parameters based on the path and tag.

Say, I have a key:
/production/Param1=Value1
with a tag:
Application1=One

I was expecting a policy like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:GetParameterHistory",
"ssm:ListTagsForResource",
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:::parameter/production/*", "Condition": { "StringEquals": { "ssm:resourceTag/Application1": "One" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "tag:GetResources", "ssm:DescribeParameters" ], "Resource": ""
}
]
}

I had to do

# aws ssm describe-parameters --parameter-filters "Key=tag:Application1,Values=One" --output json | \ #filter by the tag
jq ".Parameters[].Name" | \ # get parameter name
xargs -I {} aws ssm get-parameter --name {} --with-decryption # get the parameter

{
"Parameter": {
"Name": "/production/Param1",
"Type": "String",
"Value": "Value1",
"Version": 1,
"LastModifiedDate": "2020-08-09T18:29:51.197000+10:00",
"ARN": "arn:aws:ssm:ap-southeast-2:378624334311:parameter/production/Param1",
"DataType": "text"
}
}

If you know the parameter name, get-parameters is simpler:

aws ssm get-parameters --name "/production/Param1" --profile k7-test
{
"Parameters": [
{
"Name": "/production/Param1",
"Type": "String",
"Value": "Value1",
"Version": 1,
"LastModifiedDate": "2020-08-09T18:29:51.197000+10:00",
"ARN": "arn:aws:ssm:ap-southeast-2:******:parameter/production/Param1",
"DataType": "text"
}
],
"InvalidParameters": []
}

It would have been simpler to filter by tags when using get-parameters-by-path, but a known issue with AWS:
https://github.com/aws/aws-cli/issues/2850
prevents us from doing that.

AWS Codecommit – PR and Comits with large files

AWS Codecommit console UI fails to display a diff when viewing PRs or Commits with large files (in my case a 7125 line XML file was part of the PR that failed to render the diff).

AWS support confirmed that this is a limitation as of now and failed to provide further details (on what the limit is or when this would be fixed).

It makes reviewing a little bit longer as one has to do the review out of the Console and then Approval/Disapproval happens within the console. It is a pain, to be honest.

Beware 🙂