PluginPolicyAddError: Policies cannot be added for ssm at askExecRolePermissionsQuestions

[asmajlovicmars]

How did you install the Amplify CLI?

npm i amplify -g

If applicable, what version of Node.js are you using?

v18.12.1

Amplify CLI Version

11.0.5

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

`
➜ mars git:(dev2) ✗ amplify add function
? Select which capability you want to add: Lambda function (serverless function)
? Provide an AWS Lambda function name: marsSubscribeToSf
? Choose the runtime that you want to use: NodeJS
? Choose the function template that you want to use: Hello World

Available advanced settings:

• Resource access permissions
• Scheduled recurring invocation
• Lambda layers configuration
• Environment variables configuration
• Secret values configuration

? Do you want to configure advanced settings? Yes
? Do you want to access other resources in this project from your Lambda function? Yes
? Select the categories you want this function to have access to. api, ssm
? Api has 6 resources in this project. Select the one you would like your Lambda to access mars
? Select the operations you want to permit on mars create, read, update, delete
? Select the operations you want to permit on marsSSMParameters read
PluginPolicyAddError: Policies cannot be added for ssm
at askExecRolePermissionsQuestions (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/service-walkthroughs/execPermissionsWalkthrough.js:133:23)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async Object.createWalkthrough (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/service-walkthroughs/lambda-walkthrough.js:53:83)
at async addFunctionResource (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/index.js:82:9)
at async Object.executeAmplifyCommand (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/index.js:277:5)
at async executePluginModuleCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:135:5)
at async executeCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:33:9)
at async Object.run (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/index.js:117:5)
There was an error adding the function resource
➜ marsconnected git:(dev2) ✗ amplify add functio
`

Expected behavior

create policy, and allow read access to SSMParameters

Reproduction steps

1. following steps:

➜ mars git:(dev2) ✗ amplify add function
? Select which capability you want to add: Lambda function (serverless function)
? Provide an AWS Lambda function name: marsSubscribeToSf
? Choose the runtime that you want to use: NodeJS
? Choose the function template that you want to use: Hello World

Available advanced settings:

• Resource access permissions
• Scheduled recurring invocation
• Lambda layers configuration
• Environment variables configuration
• Secret values configuration

? Do you want to configure advanced settings? Yes
? Do you want to access other resources in this project from your Lambda function? Yes
? Select the categories you want this function to have access to. api, ssm
? Api has 6 resources in this project. Select the one you would like your Lambda to access mars
? Select the operations you want to permit on mars create, read, update, delete
? Select the operations you want to permit on marsSSMParameters read
PluginPolicyAddError: Policies cannot be added for ssm
at askExecRolePermissionsQuestions (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/service-walkthroughs/execPermissionsWalkthrough.js:133:23)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async Object.createWalkthrough (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/service-walkthroughs/lambda-walkthrough.js:53:83)
at async addFunctionResource (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/index.js:82:9)
at async Object.executeAmplifyCommand (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/index.js:277:5)
at async executePluginModuleCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:135:5)
at async executeCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:33:9)
at async Object.run (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/index.js:117:5)
There was an error adding the function resource
➜ marsconnected git:(dev2) ✗ amplify add functio
`

Project Identifier

Project Identifier: de52f9b914ddc148ef7ffbb3e2fb4ad3

Log output

# Put your logs below this line

PluginPolicyAddError: Policies cannot be added for ssm
    at askExecRolePermissionsQuestions (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/service-walkthroughs/execPermissionsWalkthrough.js:133:23)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async Object.createWalkthrough (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/service-walkthroughs/lambda-walkthrough.js:53:83)
    at async addFunctionResource (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/provider-utils/awscloudformation/index.js:82:9)
    at async Object.executeAmplifyCommand (/snapshot/repo/build/node_modules/@aws-amplify/amplify-category-function/lib/index.js:277:5)
    at async executePluginModuleCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:135:5)
    at async executeCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:33:9)
    at async Object.run (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/index.js:117:5)
There was an error adding the function resource

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @asmajlovicmars, 👋 thank you for reaching out. unfortunately this is currently not directly possible to reference a custom CDK resource output in a Lambda function using the CLI workflow. A feature request open for this support here: #9087

But we can achieve this via some manual lifting by modifying the backend-config.json. Please refer to #11824 (comment) providing an example.

[asmajlovicmars]

Thank you @ykethan for your response. The thing is that I was going through a CLI menu options, and I was offered to set up Secret values configuration, where I said that I wanted 𝝺 to have read access to SSMParameters. I can add following code to a function's CloudFormation, but I thought menu should not throw an exception, since I just followed the prompts.

{ "Effect": "Allow", "Action": ["ssm:GetParameter"], "Resource": "*" },

Thank you for a provided suggestion, will look into it.

[ykethan]

hey @asmajlovicmars,i do agree the error message should show an appropriate message rather than the stack trace. Marking this as bug.

[josefaidt]

related #11802

[josefaidt]

As a note for the fix, we should block selections for unsupported categories (custom, etc.) when attempting to grant Lambda access to other resources in the project:

? Select the categories you want this function to have access to. custom
🛑 Unable to select "custom" resources. "custom" resources are not currently supported.