Hi I am experiencing weird behaviour I have an IAM policy like this

{
    "Statement": [
        {
            "Action": "ssm:DescribeParameters",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/pulumi_project": "sandbox",
                    "aws:ResourceTag/pulumi_stack": "dev",
                    "aws:ResourceTag/tier": "dev"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/pulumi_project": "sandbox",
                    "aws:RequestTag/pulumi_stack": "dev",
                    "aws:RequestTag/tier": "dev"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
    ],
    "Version": "2012-10-17"
}

and my pulumi code is deploying SSM parameters

const dbParams = [
      { role: ro, type: "ro", endpoint: args.masterHostReadOnly },
      { role: rw, type: "rw", endpoint: args.masterHost },
      { role: mig, type: "mig", endpoint: args.masterHost },
    ].map(({ role, type, endpoint }) => {
      const ssmPrefix = `ecs/${namespace}/db/${clusterName}/${type}`;

      return [
        { name: "pguser", value: role.name },
        { name: "pgpassword", value: role.password },
        { name: "pghost", value: endpoint },
        { name: "pgdatabase", value: db.name },
        { name: "pgport", value: DefaultPort.toString() },
        { name: "pgssl", value: "true" },
      ].map((p) => {
        const param = new aws.ssm.Parameter(
          rcName(`${type}-${p.name.replace("/", "-")}`),
          {
            name: `/${ssmPrefix}/${databaseName === "service" ? "" : `${databaseName}_`}${p.name}`,
            type: "SecureString",
            value: pulumi.output(p.value).apply(
              (v) => {
              if (!v)
                throw Error(`Missing value for RdsClusterDatabase parameter: ${p.name}`);
              return `${v}`;
            }
            ),
            tags,
          },
          { parent: role }
        )
        return {name: p.name.toUpperCase(), arn:param.arn}
      });

However sometimes during the initial deployment one or more parameters fail with error

error reading SSM Parameter (/ecs/main/db/sandbox/ro/pguser): AccessDeniedException: User: arn:aws:sts::<accounted>:assumed-role/pulumi-ci-sandbox-role/dev-jan-Session is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:<accountId>:parameter/ecs/main/db/sandbox/ro/pguser because no identity-based policy allows the ssm:GetParameter action
        status code: 400, request id: 30c9a9dd-23af-4bb5-b4e7-a6801667db51

then the second run of

pulumi up

just works Other times the error is triggered inside

apply

Error: Missing value for RdsClusterDatabase parameter: pghost

Can anyone tell me how to debug this?