6

So I've configured my lambda function's .yaml file like so:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An AWS Serverless Specification template describing your function.
Resources:
  NewUser:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: NewUser/index.handler
      Runtime: nodejs8.10
      Environment:
        Variables:
          database_encrypt: ${ssm:databaseEncrypt}
          database_password: ${ssm:databasePassword}
          database_server: '8.8.8.8'
          database_user: ${ssm:databaseUser}
          database_version: ${ssm:databaseVersion}
      Description: ''
      MemorySize: 128
      Timeout: 15
      Role: 'arn:aws:iam::663404525923:role/LambdaRole'
      Events:
        LambdaMicroservice:
          Type: Api
          Properties:
            Path: /User/NewUser
            Method: ANY

and my lambda function looks like this:

var config = {  
  user: process.env.database_user,  
  password: process.env.database_password,  
  server: process.env.database_server,
  database: process.env.database_version,
  options: {encrypt: true}  
};

class UserService {

    constructor(){
        console.log(config);
        console.log("test test test");
        this.connectionPool = new sql.connect(config);
    }
}

and I can access the hard-coded database_server value just fine, but the ${ssm: [myParam] } command is interpreted as a string instead of following the path and accessing the value stored in SSM Parameter Store.

Most of the examples I see have long complicated paths to point to their SSM Params but as I am just trying to show that it is possible to access the SSM Params at all in this manner I'm trying to keep it as simple as possible. I am also assuming that the ${ssm: [] } command is just not escaping at all because I would expect an undefined value to be returned if no SSM Param was found at the defined path.

Improve this question
6
  • Just a heads up, thats not a Serverless Framework template, its an AWS SAM template... If you were reading the Serverless docs, then reading the SAM docs may help. Commented Oct 23, 2019 at 22:56
  • so tbh I'm not sure what the difference between Serverless Framework and SAM is? We are supposed to be moving to serverless so maybe we are lowercase-s serverless and not Serverless™? Commented Oct 23, 2019 at 23:00
  • Does SAM prevent me from doing what I am trying to do entirely? Commented Oct 23, 2019 at 23:01
  • Both are open source frameworks for building serverless applications. SAM stands for ”Serverless Application Model”, which is Amazon specific, and you can read more about here aws.amazon.com/serverless/sam. Serverless Framework is platform independent, and supports many different providers; you can read more about it at serverless.com Commented Oct 23, 2019 at 23:26
  • So if ${ssm: [paramName] } is the Serverless™ way to do it, what is the command to access the SSM Parameters using SAM? Commented Oct 23, 2019 at 23:51

1 Answer 1

Reset to default
3

SAM is a superset of CloudFormation, so the CloudFormation commands should work

      Environment:
        Variables:
          database_encrypt: '{{resolve:ssm-secure:databaseEncrypt:1}}' 
          database_password: '{{resolve:ssm-secure:databasePassword:1}}'

see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It seems SSM Secure reference is not supported for AWS::Lambda::Function or am I missing something?
Correct, secure parameters are not supported by CloudFormation - Perhapos consider Secrets manager instead? aws.amazon.com/blogs/aws/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.