Anyone happen to know of anyway to sync ssm parameters from Serverless Stack #help

Join Slack

Anyone happen to know of anyway to sync ssm parame...

# help

Garret Harp

10/29/2021, 10:13 PM

Anyone happen to know of anyway to sync ssm parameters from a root aws account to every account in the org?

Sam Hulick

10/29/2021, 11:59 PM

what I’ve done is made it so other AWS accounts can read SSM params in the root account. they’re not sync’d or copied. does that work for you?

Garret Harp

10/30/2021, 12:14 AM

That wouldn't work I want to be able to use the cdk ssm to load parameters and it doesn't support cross account fetching

Sam Hulick

10/30/2021, 12:15 AM

ahh gotcha. yeah, I’m just fetching the SSM parameters in my code

Frank

10/30/2021, 6:20 AM

Would it work if you fetched SSM across account using aws sdk at build time. Does that work for you?

Garret Harp

10/31/2021, 2:23 AM

Yeah that might be the best, not sure how to fetch ssm cross account so if either one of you could enlighten me on how to do that 😅

Sam Hulick

10/31/2021, 5:44 PM

sure! so here’s the function I wrote to fetch SSM params from either the AWS account the stack is running on, or from the primary/parent AWS account:

Sam Hulick

10/31/2021, 5:47 PM

that

SSM_ROLE_ARN

should be the ARN of the primary account’s IAM role that grants access to sub-accounts. it looks like this:

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "ssm:GetParameter",
      "Resource": "*"
    }
  ]
}

and for that IAM role’s trust relationship, you want this:

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<sub account ID>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

3 Views

Open in Slack

Previous Next