Retrieve Multiple SSM Parameters using a Lambda Function
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings and license codes as parameter values. You can store values as plain text or encrypted data
SSM is nothing but a locker where you can keep all important secret things which you don't want to expose as publicly. In technical word AWS Systems Manager manages those API keys, secrets key or client key or token or DB credentials etc.
Solution Overview
We will go over the logic to use AWS Systems Manager to store application configuration data and securely access the data using an AWS Lambda function written in Node JS. We can further have a client application (Website or Mobile) that can consume a RESTful API hosted by AWS API Gateway which invokes this lambda function, but I will keep this solution simple.
Step 1: Create parameters in SSM
Let's create a few parameters using the AWS CLI (you can also use the AWS console) :
aws ssm put-parameter \
--name "account_id" \
--description "Account ID (12 digits) or account alias" \
--type "String" \
--value "1234567890" aws ssm put-parameter \
--name "email" \
--description "Root user email address" \
--type "String" \
--value "thabo@test.com"aws ssm put-parameter \
--name "password" \
--description "Root user password" \
--type "SecureString" \
--value "verysecure123"After successfully executing each command above, you should get this output:
{
"Version": 1,
"Tier": "Standard"
}Feel free to check out the parameters on the AWS Console by visiting the AWS Systems Manager service:
Step 2: IAM role to give permission to Lambda
In order to grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the SSM parameter.
a. Go to Services => IAM => Roles => Create Role
b. Select AWS services: Choose Lambda => Next
c. Select Permission: AmazonSSMReadOnlyAccess => Next
d. Enter Role Name: lambda_ssm_read_access => Create Role
The role will be created. We will use this permission in lambda function to access AWS SSM parameters
Step 3: Access parameters from Lambda function
Now we can finally create a function that retrieve parameters in json format. The function does not require re-deployment when the SSM Parameters values change, we will always pass just the keys to the function.
a. Go to Services => Lambda => Create Function => Enter Function Name: ssmParametersRetieval
b. Change default execution role => Use an existing role => Select lambda_ssm_read_access role
c. Create function and paste the code below to access the parameters
exports.handler = async (event) => {
// Input is an array of parameter names
const parameterNames = ['account_id', 'email', 'password'];
const parameters = await getParameters(parameterNames);
return parameters;
};
const getParameters = async (parameterNames) => {
const ssm = new (require('aws-sdk/clients/ssm'));
const params = {
Names: parameterNames,
WithDecryption: true
};
try {
const parameters = await ssm.getParameters(params).promise();
return formatParameters(parameters);
} catch (e) {
return e;
}
};
const formatParameters = (parameters) => {
return parameters.Parameters.reduce((object, param) => {
return { ...object, [param.Name]: param.Value };
}, {});
};- We have a helper function to format the parameters as a JSON object.
- We have a method getParameters() which retrieves all the parameters at once.
- We create an array object with all parameters we want to retrieve.
d. Click Test => Configure test event => Enter Event Name: test => Save
Test the Lambda function
We can click Test on the function console. If everything was setup correctly, you should see the parameters returned:
Note that in our lambda code we enabled decryption, thus our secure string is returned as a plain text value. Thanks for reading this post, feel free to reach out if you have any questions or queries.