going with a one-developer-per-AWS-account setup, is it possible to somehow have it so the various accounts could access certain SSM parameters in the primary account? like, if we have API keys or JWT secrets or things along those lines

Hey @Sam Hulick, are you planning to pass the decrypted SSM values to Lambda functions? (ie. set as Lambda enivronment)

@Frank yep, that’s the plan! it’s secure enough for me. grabbing SSM params at runtime can add a tiny bit of latency, if I’m not mistaken

Due to a limitation in CFN, it’s not possible to ask CFN to dynamically resolve encrypted SSM values and assign to Lambda environment - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#template-parameters-dynamic-patterns-resources

hmm. I was thinking I could use

@aws-sdk/client-ssm

.. which seems like it could work. I mean, using it at deploy time rather than runtime. but I don’t think I can tell the SSM client to use a different AWS account

Can you make an API call to SSM using the aws sdk in your SST code? Assuming the developers have permission to the SSM key in the primary account.

surprised

accountId

is not an option when instantiating the SSM client

^ as a side note, @thdxr mentioned he fetches SSM values in his Lambda function. He places it outside of the handler, so u only get hit with the latency when the Lambda container boots up.

This does require some weird hacks right now due to not having top level await. Will get that supported soon though

cool. that’s a bit better since it’s more secure.