Enhancement: add policy to allow IAM user to read SSM /system_user/#user#/ path

[patlachance]

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Describe the Feature

AWS IAM user created when user_enabled is set to true should have access to the AWS SSM path '/system_user/$USER/*

Expected Behavior

One should be able to retrieve any parameters using the following command:

VALUE=$(aws ssm get-parameters --names  /system_user/$USER/$PARAMETER --with-decryption --query Parameters[0].Value | sed -e 's/^"//' -e 's/"$//' )

Or read credentials using the following commands:

AK=$(aws ssm get-parameters --names  /system_user/$USER/access_key_id --with-decryption --query Parameters[0].Value | sed -e 's/^"//' -e 's/"$//' )
SK=$(aws ssm get-parameters --names  /system_user/$USER/secret_access_key --with-decryption --query Parameters[0].Value | sed -e 's/^"//' -e 's/"$//' )

Use Case

Useful for example to implement credential rotation or read any other parameters stored under the path, such as environment variable definitions.

Describe Ideal Solution

Add an additional policy to the user created, allowing it to read the SSM path under which the credentials are created.

Alternatives Considered

Creating a specific SSM policy and attach it to the user, but it's overall automation gets more complex.

Additional Context

None

[nitrocode]

Is this already completed by PR

• Fix website support, remove awsutils depenencies #158

terraform-aws-s3-bucket/main.tf

Line 347 in 424de84

module "s3_user" {

terraform-aws-s3-bucket/main.tf

Lines 356 to 357 in 424de84

	ssm_enabled = var.store_access_key_in_ssm
	ssm_base_path = var.ssm_base_path