How do you guys go about granting access to encrypted parameters in Systems Manager - Parameter Store? We currently store the path to the parameter in an env var and then do:

const kmsKey = Key.fromKeyArn(this, 'kmsKey', process.env.KMS_KEY_ARN);
const someParam = ssm.StringParameter.fromSecureStringParameterAttributes(this, 'theParam', {
  parameterName: process.env.THE_PARAM_PATH,
  encryptionKey: kmsKey,
  version: parseInt(process.env.THE_PARAM_VERSION),
});
// define some functions
kmsKey.grantDecrypt(theFunction);
fsmCredsParam.grantRead(theFunction);

(In actual fact, rather than storing the version in a separate env var, we store it like /some/path/to/param:2 and split it around the colon.) However, the problem with this is that the developer needs to update the env vars each time the parameter is changed to reflect the new parameter version which is a manual step that can (and does) get forgotten. The version is mandatory and you can't specify a wildcard. Is there a slicker way of doing this?

Hey @Ross Coundon, hmm.. doesn’t seem to be supported by CDK at the moment. Fetching using a custom resources seems to be the suggested work from this thread https://github.com/aws/aws-cdk/issues/9793

Thanks Frank, I'll dig into that

Reading that thread, ppl seems to suggest that version is not required by CFN, but only required in CDK

How would I go about overriding?

If u share a snippet of ur CFN that’s using

{{resolve:ssm-secure:…}}

, I can share more detail. But he general concept is if u get a hold of the construct, u can do this:

const cfnResource = constructX.node.defaultChild as core.CfnResource;

cfnResource.addOverride("Properties.xxxx.xxxx", "{{resolve:ssm-secure:ParamName:}}")

I see, nice, I'll have a play

yup yup, just do a quick

sst build

run first and see if it is using

{{resolve:ssm-secure:…}}

Cool - wonder why they've added it, maybe I'll ask in the cdk group