@Frank Think maybe there is a documentation error? It says, “Use the aws-ssm construct” is “Security: BEST”. • However, if you use this method to get an SSM secret’s value into a Lambda, you would have to pass them in as an environment var and would NOT need to

Usage in Lambda: Fetch the SSM values inside a Lambda function using the AWS SDK

as the docs further read. Perhaps there are two methods here: 1. Use

aws-ssm

construct to pass the ssm value at deploy time into something. (Security: it depends, secrets shouldn’t be stored in plain text as lambda env vars) 2. Pass the SSM parameter name into a Lambda as an env var. Then fetch that value inside the function using aws-sdk. No?

I think you're right. I've personally not been passing anything in as an environment variable except for the SSM path. The lambda queries ssm directly on cold start - this is the most secure way of doing it

ya that bullet seems to merge the two methods into one. because they use the

aws-ssm

construct and then say that you reference the value in the lambda with the SDK. However you only need to do one of the two.

@Dan Van Brunt Nice catch, the doc was wrong. But I think @Jay fixed it up yesterday. Can you try refreshing the doc and see if you see the updated version?