Retrieve Multiple SSM Parameters using a Lambda Function

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings and license codes as parameter values. You can store values as plain text or encrypted data

SSM is nothing but a locker where you can keep all important secret things which you don't want to expose as publicly. In technical word AWS Systems Manager manages those API keys, secrets key or client key or token or DB credentials etc.

Solution Overview

We will go over the logic to use AWS Systems Manager to store application configuration data and securely access the data using an AWS Lambda function written in Node JS. We can further have a client application (Website or Mobile) that can consume a RESTful API hosted by AWS API Gateway which invokes this lambda function, but I will keep this solution simple.

Step 1: Create parameters in SSM

Let's create a few parameters using the AWS CLI (you can also use the AWS console) :

aws ssm put-parameter \
    --name "account_id" \
    --description "Account ID (12 digits) or account alias" \
    --type "String" \
    --value "1234567890" 
aws ssm put-parameter \
    --name "email" \
    --description "Root user email address" \
    --type "String" \
    --value ""
aws ssm put-parameter \
    --name "password" \
    --description "Root user password" \
    --type "SecureString" \
    --value "verysecure123"

After successfully executing each command above, you should get this output:

    "Version": 1,
    "Tier": "Standard"

Feel free to check out the parameters on the AWS Console by visiting the AWS Systems Manager service:

Step 2: IAM role to give permission to Lambda

In order to grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the SSM parameter.

a. Go to Services => IAM => Roles => Create Role

b. Select AWS services: Choose Lambda => Next

c. Select Permission: AmazonSSMReadOnlyAccess => Next

d. Enter Role Name: lambda_ssm_read_access => Create Role

The role will be created. We will use this permission in lambda function to access AWS SSM parameters

Step 3: Access parameters from Lambda function

Now we can finally create a function that retrieve parameters in json format. The function does not require re-deployment when the SSM Parameters values change, we will always pass just the keys to the function.

a. Go to Services => Lambda => Create Function => Enter Function Name: ssmParametersRetieval

b. Change default execution role => Use an existing role  => Select lambda_ssm_read_access role

c. Create function and paste the code below to access the parameters

exports.handler = async (event) => {
    // Input is an array of parameter names
    const parameterNames = ['account_id', 'email', 'password'];
    const parameters = await getParameters(parameterNames);
    return parameters;

const getParameters = async (parameterNames) => {
    const ssm = new (require('aws-sdk/clients/ssm'));

    const params = {
        Names: parameterNames,
        WithDecryption: true

    try {
        const parameters = await ssm.getParameters(params).promise();
        return formatParameters(parameters);
    } catch (e) {
        return e;

const formatParameters = (parameters) => {
    return parameters.Parameters.reduce((object, param) => {
        return { ...object, [param.Name]: param.Value };
    }, {});
Retrieve Multiple Parameters from AWS Parameter Store
  • We have a helper function to format the parameters as a JSON object.
  • We have a method getParameters() which retrieves all the parameters at once.
  • We create an array object with all parameters we want to retrieve.

d. Click Test  => Configure test event => Enter Event Name: test => Save

Test the Lambda function

We can click Test on the function console. If everything was setup correctly, you should see the parameters returned:

Note that in our lambda code we enabled decryption, thus our secure string is returned as a plain text value. Thanks for reading this post, feel free to reach out if you have any questions or queries.