ssm: malformed ARNs for parameters with physical names that use path notation

[balkat]

Code that was working is suddenly failing on an IAM mismatch. We suspect a CDK update is the culprit.
Currently working to isolate it. The "proof" is in the Error Log section below.
Have reproduced the error using a minimum of independent code, shown below.

Reproduction Steps

const role = new Role(this, 'myRole', {
  assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
})

const param = new StringParameter(this, 'myParam', {
  stringValue: 'myValue',
  parameterName: '/path/to/parameter',
})

const readSsmStatement = new PolicyStatement({ effect: Effect.ALLOW })
readSsmStatement.addActions('ssm:DescribeParameters', 'ssm:GetParameter')
readSsmStatement.addResources(param.parameterArn)

role.addToPolicy(readSsmStatement)

Deploy this and you will see the double // in the Resource section of the policy statement

Error Log

AccessDeniedException: User: [redacted] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:[redacted]:parameter/x/y/z

Where the generated IAM role contains:
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:us-west-2:[redacted]:parameter//x/y/z"
"Effect": "Allow"
}

Note the double // in the parameter ARN. Manually edititng the role in the console fixes the problem. We cannot, however get CDK to generate it properly.

Environment

• CLI Version :aws-cli/1.16.107 Python/2.7.16 Darwin/18.7.0 botocore/1.12.97
• Framework Version:1.15.0
• OS :MacOS on desktop and Ubuntu in CI pipeline (both affected)
• Language :typescript

Other

---

This is 🐛 Bug Report

[tbartley]

Suspect this is related to #4685

[tbartley]

And to confirm, we're only seeing the issue since 1.15.0 - 1.14.0 doesn't exhibit the despite my colleague's opening post saying 1.14.0 shows the issue.

[balkat]

Confirmed that fix #4685 for #4672 has caused the new problem: The reason being the way SSM treats paths:
An ssm parameter can be “pathless” as in blah-blah-blah or fully-qualified as in /blah/blah/blah but not an un-rooted path as in blah/blah/blah. What this means is that CDK must prepend a '/' to the parameter when constructing the ARN if it has no leading '/', but not otherwise.

[eladb]

WIP

[eladb]

The issue here stems from the fact that SSM parameter names can have one of two forms:

1. “simpleName”
2. “/path/name”

This makes it tricky (albeit not impossible) to render an ARN for the parameter is the name is an unresolvable token (such as a “Ref”) because we can’t decide whether a “/“ separator is required in the ARN.

Luckily, in the use case above and in “fromXxx” methods where the user provides a concrete value for physical name, we can use this as a hint to determine the ARN separator.

The only case where this is impossible is if the physical name is a token, in which case we should be able to synthesize a CloudFormation condition which will parse the token during deployment.

[eladb]

The issue here stems from the fact that SSM parameter names can have one of two forms:

1. “simpleName”
2. “/path/name”

This makes it tricky (albeit not impossible) to render an ARN for the parameter is the name is an unresolvable token (such as a “Ref”) because we can’t decide whether a “/“ separator is required in the ARN.

Luckily, in the use case above and in “fromXxx” methods where the user provides a concrete value for physical name, we can use this as a hint to determine the ARN separator.

The only case where this is impossible is if the physical name is a token, in which case we should be able to synthesize a CloudFormation condition which will parse the token during deployment.