Hi, I'm trying to use SSM encrypted parameter for ...
# helpj
Jonathan
01/27/2022, 1:36 PMHi, I'm trying to use SSM encrypted parameter for one of my secrets that is used in a (cron) Lambda, but when my function attempts to access it using the SDK, it says my Lambda doesn't have permission to access it. Are there any examples of how to give the permission in my infrastructure stack? I'm trying to use option 3 here: https://docs.serverless-stack.com/environment-variables#3-fetch-ssm-values-in-lambda-using-the-aws-sdk
t
thdxr
01/27/2022, 1:37 PMyou can add a policy statement
thdxr
01/27/2022, 1:37 PMthe error message should help
thdxr
01/27/2022, 1:38 PMbut it'll be something like this:
Copy code
const policy = new PolicyStatement({
resources: [`arn:aws:ssm:${app.region}:${app.account}:parameter${this.path}`
].
actions: ["*"],
effect: Effect.ALLOW,
})thdxr
01/27/2022, 1:38 PMer probably not "*" but I'm forgetting the action right now, it'll be in the error message
thdxr
01/27/2022, 1:38 PMbtw we'll probably add first class support for SSM soon
j
Jonathan
01/27/2022, 1:40 PMOK, thanks. And do I do anything with the policy statement once it's defined?
r
Ross Coundon
01/27/2022, 1:41 PMWe tend to import like:
Copy code
const someParam = StringParameter.fromSecureStringParameterAttributes(this, 'someParameter', {
parameterName: '/my/param/path,
encryptionKey,
}); Copy code
someParam.grantRead(myLambdaFunction);j
Jonathan
01/27/2022, 1:46 PM@Ross Coundon doesn't that implement option 2 in the link I shared above? I'm trying to read the param within my Lambda function and not have it be decrypted in the infrastructure stack. Or does this just make a wrapper around the parameter for the purpose of adding a read policy?
r
Ross Coundon
01/27/2022, 1:47 PMNo - this just grants the permission for the lambda to retrieve the value at runtime
t
thdxr
01/27/2022, 1:49 PMRoss's suggestion is better
j
Jonathan
01/27/2022, 2:41 PMThank you both!
2 Views