Cross account access to SSM parameters

Question

I followed the instructions mentioned in an AWS developer forum post (now no longer available).

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:eu-central-1:XXXXXXXXXX:parameter/some-root/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        }
    ]
}

I attached the policy to the target account in a role

When I get the parameters from the source account it works, however I can't access them from the target account.

C:\Users\my-home>aws ssm get-parameters-by-path --path "/some-root/" --profile aws-acc-src
{
    "Parameters": [
        {
            "Name": "/some-root/dev",
            "Type": "SecureString",
            "Value": "AQICAHh5z4qygT6rbxBnR/PmJn811vO30kBJNB+JrB1tdKNBeAEHFLSQDpTMsRMc1l0D8lXYAAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+Qmz5FoNcESEXabnAgEQgB6MdOlb545EPN61QqA50w7rH3sghmNWvxsLPPneHEA=",
            "Version": 1,
            "LastModifiedDate": "2020-10-06T16:03:32.637000+03:00",
            "ARN": "arn:aws:ssm:eu-central-1:XXXXXXXX:parameter/some-root/dev"
        }
    ]
}

aws ssm get-parameters-by-path --path "/some-root/" --with-decryption --profile aws-acc-src
{
    "Parameters": [
        {
            "Name": "/some-root/dev",
            "Type": "SecureString",
            "Value": "foo",
            "Version": 1,
            "LastModifiedDate": "2020-10-06T16:03:32.637000+03:00",
            "ARN": "arn:aws:ssm:eu-central-1:XXXXXXXX:parameter/some-root/dev"
        }
    ]
}

aws ssm get-parameters-by-path --path "/some-root/" --with-decryption --profile aws-acc-target
{
    "Parameters": []
}

Answer 1

Update [2024/02]

It is now possible to share SSM Parameter store between accounts

https://aws.amazon.com/about-aws/whats-new/2024/02/aws-systems-manager-parameter-store-cross-account-sharing/

Now, you can maintain a single source of truth for configuration data by sharing parameters with other accounts that need access rather than manually duplicating and synchronizing data across accounts.

• Probably this should be the accepted answer

Answer 2

It looks like, the parameter store doesn't support cross account access. Alternatively you can use secrets manager to share secrets between different AWS accounts.

https://medium.com/awesome-cloud/aws-difference-between-secrets-manager-and-parameter-store-systems-manager-f02686604eae

Answer 3

I'd recommend creating the parameter in all accounts using a CloudFormation stackset. That is an easy way to distribute it to accounts and regions and to apply and maintain the value in sync across all.

I'd also put a feature request through AWS Support (I'll do myself). The more requests for the feaure the more probable it gets implemented in the future.