Notes on SSM parameters store
aws ssm put-paramater --name "DB_NAME" --value "myDb" --type String --overwrite
{
"Version": 1
}
aws ssm get-parameter --name "DB_NAME"
{
"Parameter": {
"Name": "THAVA_DB",
"LastModifiedDate": 1557121358.643,
"Value": "myrds",
"Version": 1,
"Type": "String",
"ARN": "arn:aws:ssm:us-east-1:027212312845:parameter/THAVA_DB"
}
}
# You can | jq '.Parameter.Value' to get specific value.
# For password, use key-id, you do not need to remember key-id as long as
# you have IAM credentials.
aws ssm put-parameter --name "DB_PASSWORD" --value "secret123"
--type SecureString --key-id 333be3e-fb33-333e-fb33-3333f7b33f3
aws ssm get-parameter --name "DB_PASSWORD" --with-decryption
# without decryption the result contains Value which is encrypted.
aws ssm put-parameter --name /myapp/dev/DB_NAME --value myDb --type String
aws ssm get-parameter --name /xom/THAVA_DB
{
"Parameter": {
"Name": "/xom/THAVA_DB",
"LastModifiedDate": 1557122324.174,
"Value": "myrdsdb",
"Version": 1,
"Type": "String",
"ARN": "arn:aws:ssm:us-east-1:027212312845:parameter/xom/THAVA_DB"
}
}
# If Parameter is a path ... !!!
aws ssm get-parameters-by-path --with-decryption --path /xom --with-decryption
{
"Parameters": [
{
"Name": "/xom/THAVA_DB",
"LastModifiedDate": 1557122324.174,
"Value": "myrdsdb",
"Version": 1,
"Type": "String",
"ARN": "arn:aws:ssm:us-east-1:027212312845:parameter/xom/THAVA_DB"
},
{
"Name": "/xom/THAVA_SEC",
"LastModifiedDate": 1557122303.475,
"Value": "myrds",
"Version": 1,
"Type": "SecureString",
"ARN": "arn:aws:ssm:us-east-1:027212312845:parameter/xom/THAVA_SEC"
}
]
}
#
# The default KMS key for the account has alias aws/ssm
#
aws kms describe-key --key-id alias/aws/ssm
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "8bxxxxx-90c1-xxxx-b8f9-xxxxx",
"Description": "Default master key that protects my SSM parameters when no other key is defined",
"KeyManager": "AWS",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1557121552.244,
"Arn": "arn:aws:kms:us-east-1:027212312845:key/8bxxxx-90c1-xxx-b8f9-xxxx",
"AWSAccountId": "027212312845"
}
}
# Some advanced usage:
aws ssm get-parameters --names key1 key2 --query "Parameters[*].{Name:Name,Value:Value}"
Output:
[
{
"Name": "key1",
"Value": "value1"
},
{
"Name": "key2",
"Value": "value2"
}
]
{
"Sid": "getParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:<region>:<AWS_ACCOUNT_NUMBER>:parameter/<Parameter_Store_Key_Name>"
},
{
"Sid": "decryptKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:<region>:<AWS_ACCOUNT_NUMBER>:key/<aws/ssm_Key_Id>"
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/MyParameter",
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:PARAMETER_ARN":"arn:aws:ssm:us-west-2:111122223333:parameter/MyParameter"
}
}
}
]
}
Note: you can use
"Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/dev/*",
to allow all dev parameters.
var AWS = require('aws-sdk');
var ssm = new AWS.SSM();
var params = {
Name: 'MY_PARAMETER',
/* required */
WithDecryption: /*true ||*/ false
};
var request = ssm.getParameter(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
functions:
hello:
name: ${ssm:/path/to/service/myParam}-hello
handler: handler.hello
....
custom:
supersecret: ${ssm:/path/to/secureparam~true}
Note: ~true -- this indicates it is secure param.
# If you are storing it inside AWS Secrets manager, then ...
custom:
supersecret: ${ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager~true}