How to Pull Resources from AWS SSM Parameter Store in AWS SAM

iAmSherif 💎 - Oct 11 - - Dev Community

Introduction

In this article, I'll guide you through the process of retrieving a DynamoDB table name stored in AWS Systems Manager Parameter Store (SSM Parameter Store) using an AWS SAM template (template.yml). Additionally, I’ll show how to use this parameter in our code and how to add the required IAM permissions to the function.

What is AWS Systems Manager Parameter Store?

AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for managing configuration data and secrets. It allows you to store values like passwords, database strings, Amazon Machine Image (AMI) IDs, and other sensitive information as parameters. These values can be stored as plain text or encrypted, and referenced in scripts, AWS Lambda functions, and other AWS services by their unique parameter names.

Creating a Parameter in AWS Systems Manager Parameter Store

We will create a parameter to hold our DynamoDB table name in the SSM Parameter Store.

Steps:

  1. In the AWS Management Console, search for Systems Manager. Systems Manager search result
  2. Under the Application Management section, select Parameter Store. Parameter Store
  3. Click the Create Parameter button on the left side. Create a Parameter 4- Name the parameter /my/database/name. parameter name 5- Set the type to String, and enter the DynamoDB table name as the value. create paramter 6- Click Create Parameter to save.

Note: In this example, the parameter name is /my/database/name, and its value is the name of your DynamoDB table.

Retrieving the Parameter in Your AWS SAM Template

In the template.yml file, we'll reference the DynamoDB table name stored in SSM. The Lambda function, MyFunction, needs both read permissions for the DynamoDB table and permission to access the SSM Parameter Store.

The SSM parameter is retrieved using the syntax {{resolve:ssm:/my/database/name}}, which fetches the value dynamically during resource creation. Additionally, we must assign the necessary IAM roles to allow the Lambda function to read the parameter.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Url Sample SAM Template for url

Globals:
  Function:
    Timeout: 3
    LoggingConfig:
      LogFormat: JSON
Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: redirect.handler
      Runtime: nodejs18.x
      FunctionUrlConfig:
        AuthType: NONE
      Policies:
        - DynamoDBCrudPolicy:
            TableName: "{{resolve:ssm:/my/database/name}}"
        -  SSMParameterReadPolicy:
            ParameterName: "my/database/name"
      Architectures:
        - x86_64
      Environment:
        Variables:
          TABLE_NAME: "/my/database/name"

Enter fullscreen mode Exit fullscreen mode

Here, the Lambda function retrieves the DynamoDB table name using the resolve function from SSM and assigns the necessary policies to access both DynamoDB and the SSM Parameter Store.

Note: We removed the starting / before the parameter name.

-  SSMParameterReadPolicy:
            ParameterName: "my/database/name"
Enter fullscreen mode Exit fullscreen mode

If we don't, we will get an Unauthorized error.

Retrieving the Parameter Value in your Code

In your code, you can retrieve the DynamoDB table name from the SSM Parameter Store like this:

const { SSMClient, GetParameterCommand } = require("@aws-sdk/client-ssm");

const table_name_path = process.env.TABLE_NAME;

const retrieveTable = async () => {
    const input = {
        Name: table_name_path,
        WithDecryption: false,
    };
    const command = new GetParameterCommand(input);
    const response = await ssmClient.send(command);

    return response.Parameter.Value;
}

Enter fullscreen mode Exit fullscreen mode

This JavaScript code initializes an SSM client, and retrieves the DynamoDB table name using the GetParameterCommand.

Note: Ensure you install the @aws-sdk/client-ssm package using npm install @aws-sdk/client-ssm

Best Practice: Notice that we didn't retrieve the parameter value directly within our Lambda function. We avoid adding extra latency during Lambda's cold start. This approach improves performance by reducing the number of external API calls made during execution.

Conclusion

In this article, we explored how to securely store and retrieve a DynamoDB table name from AWS Systems Manager Parameter Store and use it within an AWS Lambda function. By utilizing the {{resolve:ssm}} syntax in the AWS SAM template, we demonstrated how to dynamically reference parameters during resource deployment. Additionally, we showed how to configure the necessary IAM permissions and retrieve the parameter value within our code using AWS SDK.

Leveraging AWS Systems Manager Parameter Store not only helps in managing configuration data and secrets efficiently, but also enhances the security and flexibility of your serverless applications. With these steps, you can easily scale this approach to manage other sensitive configuration values across your AWS infrastructure.

Follow my social handles for more articles:
Click and follow on

. . . . . . . .