https://serverless-stack.com/ logo
#help
Title
# help
r

Ross Coundon

12/24/2021, 7:34 AM
How do you guys go about granting access to encrypted parameters in Systems Manager - Parameter Store? We currently store the path to the parameter in an env var and then do:
Copy code
const kmsKey = Key.fromKeyArn(this, 'kmsKey', process.env.KMS_KEY_ARN);
const someParam = ssm.StringParameter.fromSecureStringParameterAttributes(this, 'theParam', {
  parameterName: process.env.THE_PARAM_PATH,
  encryptionKey: kmsKey,
  version: parseInt(process.env.THE_PARAM_VERSION),
});
// define some functions
kmsKey.grantDecrypt(theFunction);
fsmCredsParam.grantRead(theFunction);
(In actual fact, rather than storing the version in a separate env var, we store it like /some/path/to/param:2 and split it around the colon.) However, the problem with this is that the developer needs to update the env vars each time the parameter is changed to reflect the new parameter version which is a manual step that can (and does) get forgotten. The version is mandatory and you can't specify a wildcard. Is there a slicker way of doing this?
f

Frank

12/24/2021, 7:59 AM
Hey @Ross Coundon, hmm.. doesn’t seem to be supported by CDK at the moment. Fetching using a custom resources seems to be the suggested work from this thread https://github.com/aws/aws-cdk/issues/9793
r

Ross Coundon

12/24/2021, 8:07 AM
Thanks Frank, I'll dig into that
f

Frank

12/24/2021, 8:07 AM
Reading that thread, ppl seems to suggest that version is not required by CFN, but only required in CDK
I wonder if u can override the CloudFormation value in CDK
If u want to give that a try, u can run
sst build
, inspect the CFN template in
.build/cdk.out
, look for something like
{{resolve:ssm-secure:ParamName:Version}}
And then in ur CDK code, see if u can override that to just
{{resolve:ssm-secure:ParamName:}}
r

Ross Coundon

12/24/2021, 8:10 AM
How would I go about overriding?
f

Frank

12/24/2021, 8:14 AM
If u share a snippet of ur CFN that’s using
{{resolve:ssm-secure:…}}
, I can share more detail. But he general concept is if u get a hold of the construct, u can do this:
Copy code
const cfnResource = constructX.node.defaultChild as core.CfnResource;

cfnResource.addOverride("Properties.xxxx.xxxx", "{{resolve:ssm-secure:ParamName:}}")
r

Ross Coundon

12/24/2021, 8:14 AM
I see, nice, I'll have a play
f

Frank

12/24/2021, 8:15 AM
yup yup, just do a quick
sst build
run first and see if it is using
{{resolve:ssm-secure:…}}
And here’s the CFN doc that seems to say version is not required for
resolve:ssm-secure
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm-secure-strings
r

Ross Coundon

12/24/2021, 8:16 AM
Cool - wonder why they've added it, maybe I'll ask in the cdk group
Support for optional versions is on the way https://github.com/aws/aws-cdk/pull/18187