Assumed role in AWS Lambda, access denied on SSM call

Played around with this today and got the following, dropping the s from ssm:GetParameters and using ssm:GetParameter seems to work when using the GetParameter action. ie AWS_PROFILE=pstore aws ssm get-parameter --name param_name. This weirded me out a bit because I cannot find this at all in the iam action docs here. However it does seem to work, and ssm is still a bit under documented. Amazon has updated and moved it's docs. The new docs incude both ssm:GetParameters and ssm:GetParameter.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
            "Effect": "Allow"
        }
    ]
}

It really depends on the command you use in your Lambda.

If you use boto3.client('ssm').get_parameters(Names=[param1, param2]), then you need "Action": ["ssm:GetParameters"],

or alternatively when you use boto3.client('ssm').get_parameter(Name=param), you would need "Action": ["ssm:GetParameter"]

Ran into the same error today. The following Java code caused it when encrypted = false and paramName referred to an unencrypted parameter

    GetParameterRequest request = new GetParameterRequest()
        .withName(paramName)
        .withWithDecryption(encrypted);
    GetParameterResult resultPacket = ssmClient.getParameter(request);

The fix was to create the unencrypted parameter request without setting the WithDecryption flag - GetParameterRequest request = new GetParameterRequest().withName(paramName);

In my case (I used AWS SDK for Go V2), I needed both ssm:GetParametersByPath and ssm:GetParameter to make it work.