{"id":3623,"date":"2020-02-26T15:54:40","date_gmt":"2020-02-26T07:54:40","guid":{"rendered":"https:\/\/www.ookangzheng.com\/?p=3623"},"modified":"2020-05-24T15:58:02","modified_gmt":"2020-05-24T07:58:02","slug":"how-aws-lambda-works-with-ssm-secure-string","status":"publish","type":"post","link":"https:\/\/www.ookangzheng.com\/how-aws-lambda-works-with-ssm-secure-string\/","title":{"rendered":"How AWS Lambda works with SSM Secure string"},"content":{"rendered":"\n

Env: VScode, Mbpr, aws-cdk:1.25.0, Typescript<\/p>\n\n\n\n

Implementation<\/h2>\n\n\n\n

By default I hope I can inject SSM secure string to a Lambda, unfortunately, I failed and here are my CDK code.<\/p>\n\n\n\n

\/\/ cdk.ts\n\nconst getXXX = new lambda.Function(this, \"gsssus\", {\n        runtime: lambda.Runtime.NODEJS_10_X,\n        code: lambda.AssetCode.fromAsset(\"lambda\"),\n        handler: \"entry_point\/gsss.handler\",\n        vpc: vpc,\n        memorySize: 256,\n        timeout: cdk.Duration.seconds(30),\n        environment: {\n          NODE_ENV: \"dev\",\n          PrivateKey: ssm.StringParameter.valueForSecureStringParameter(this, \"\/xxx_KEY\",1)\n\n        }\n        \n      });\n\n      getXXX.role?.addToPolicy(\n        new iam.PolicyStatement({\n          actions: [\"ssm:*\"],\n          resources: [\"arn:aws:ssm:ap-xxxx-1:12345678:parameter\/xxxkey\/*\"]\n        })\n      )<\/code><\/pre>\n\n\n\n
Solution<\/h2>\n\n\n\n
Inside my lambda code, I have to use AWS SDK and call SSM function to get SSM secure string every time once Lambda function is called.<\/p>\n\n\n\n
\/\/ src\/index.handler\n\nconst AWS = require(\"aws-sdk\");\nconst sm = new AWS.SSM();\n\nconst handler = async (event, context, callback) => {\n    try {\n        const sbPrivateKey = await sm.getParameter({\n          Name: \"\/xxx\/PRIVATE_KEY\",\n          WithDecryption: true,\n        }).promise();\n        console.log(await sbPrivateKey.Parameter.Value);\n    } catch (e)  {\n        logger.error(e);\n        return resError(e);\n    }\n\nmodule.exports.handler = handler<\/code><\/pre>\n\n\n\n
Cloudformation limitation, See\u00a0https:\/\/docs.aws.amazon.com\/AWSCloudFormation\/latest\/UserGuide\/parameters-section-structure.html#aws-ssm-parameter-types<\/a><\/p>\n\n\n\n
Photo by Markos Mant<\/a> on Unsplash<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Env: VScode, Mbpr, aws-cdk:1.25.0, Typescript Implementation By default I hope I can inject SSM secure string to a Lambda, unfortunately,…<\/p>\n","protected":false},"author":1,"featured_media":3626,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[93,43],"tags":[],"class_list":["post-3623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws","category-dev"],"_links":{"self":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/3623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/comments?post=3623"}],"version-history":[{"count":0,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/3623\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media\/3626"}],"wp:attachment":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media?parent=3623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/categories?post=3623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/tags?post=3623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}