To retrieve parameters from AWS Systems Manager's Parameter Store.
The best use case is to place this before the state in a Step Function's workflow that accepts configuration as input such as username and password. As such, the application secrets are kept safely in AWS Parameter Store rather than in the Step Function's state machine code.
Following the principle of least privilege, there are two options that allows restriction on the AWS Lambda function to access certain parameters from the Parameters Store.
- ParametersPrefix - Only allow access to parameters with certain prefix in the Parameters Store.
- Tag Keys List - Only allow access to parameters with certain tags for the parameters. Allows comma-delimited list of tag keys.
{
"param": [
"random-input-a",
"random-input-b"
],
"withDecryption": true
}
{
"random-input-a": "<Value from Parameter Store>"
"random-input-b": "<Value from Parameter Store>"
}
Deploy manually using the source code: index.js or deploy it directly from AWS Serverless Application Repository with name: ssm-parameters-getter-lambda. Remember to check Show apps that create custom IAM roles or resource policies as if this Lambda requires additional role.
- How to publish on SAR - https://docs.aws.amazon.com/serverlessrepo/latest/devguide/serverlessrepo-how-to-publish.html
- Documentation on SAR Template - https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md