Introduction
In this article, I'll guide you through the process of retrieving a DynamoDB table name stored in AWS Systems Manager Parameter Store (SSM Parameter Store) using an AWS SAM template (template.yml). Additionally, I’ll show how to use this parameter in our code and how to add the required IAM permissions to the function.
What is AWS Systems Manager Parameter Store?
AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for managing configuration data and secrets. It allows you to store values like passwords, database strings, Amazon Machine Image (AMI) IDs, and other sensitive information as parameters. These values can be stored as plain text or encrypted, and referenced in scripts, AWS Lambda functions, and other AWS services by their unique parameter names.
Creating a Parameter in AWS Systems Manager Parameter Store
We will create a parameter to hold our DynamoDB table name in the SSM Parameter Store.
Steps:
- In the AWS Management Console, search for Systems Manager.
- Under the Application Management section, select Parameter Store.
- Click the Create Parameter button on the left side.
4- Name the parameter
/my/database/name
. 5- Set the type to String, and enter the DynamoDB table name as the value. 6- Click Create Parameter to save.
Note: In this example, the parameter name is /my/database/name
, and its value is the name of your DynamoDB table.
Retrieving the Parameter in Your AWS SAM Template
In the template.yml
file, we'll reference the DynamoDB table name stored in SSM. The Lambda function, MyFunction
, needs both read permissions for the DynamoDB table and permission to access the SSM Parameter Store.
The SSM parameter is retrieved using the syntax {{resolve:ssm:/my/database/name}}
, which fetches the value dynamically during resource creation. Additionally, we must assign the necessary IAM roles to allow the Lambda function to read the parameter.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Url Sample SAM Template for url
Globals:
Function:
Timeout: 3
LoggingConfig:
LogFormat: JSON
Resources:
MyFunction:
Type: AWS::Serverless::Function
Properties:
Handler: redirect.handler
Runtime: nodejs18.x
FunctionUrlConfig:
AuthType: NONE
Policies:
- DynamoDBCrudPolicy:
TableName: "{{resolve:ssm:/my/database/name}}"
- SSMParameterReadPolicy:
ParameterName: "my/database/name"
Architectures:
- x86_64
Environment:
Variables:
TABLE_NAME: "/my/database/name"
Here, the Lambda function retrieves the DynamoDB table name using the resolve
function from SSM and assigns the necessary policies to access both DynamoDB and the SSM Parameter Store.
Note: We removed the starting /
before the parameter name.
- SSMParameterReadPolicy:
ParameterName: "my/database/name"
If we don't, we will get an Unauthorized error.
Retrieving the Parameter Value in your Code
In your code, you can retrieve the DynamoDB table name from the SSM Parameter Store like this:
const { SSMClient, GetParameterCommand } = require("@aws-sdk/client-ssm");
const table_name_path = process.env.TABLE_NAME;
const retrieveTable = async () => {
const input = {
Name: table_name_path,
WithDecryption: false,
};
const command = new GetParameterCommand(input);
const response = await ssmClient.send(command);
return response.Parameter.Value;
}
This JavaScript code initializes an SSM client, and retrieves the DynamoDB table name using the GetParameterCommand
.
Note: Ensure you install the @aws-sdk/client-ssm
package using npm install @aws-sdk/client-ssm
Best Practice: Notice that we didn't retrieve the parameter value directly within our Lambda function. We avoid adding extra latency during Lambda's cold start. This approach improves performance by reducing the number of external API calls made during execution.
Conclusion
In this article, we explored how to securely store and retrieve a DynamoDB table name from AWS Systems Manager Parameter Store and use it within an AWS Lambda function. By utilizing the {{resolve:ssm}}
syntax in the AWS SAM template, we demonstrated how to dynamically reference parameters during resource deployment. Additionally, we showed how to configure the necessary IAM permissions and retrieve the parameter value within our code using AWS SDK.
Leveraging AWS Systems Manager Parameter Store not only helps in managing configuration data and secrets efficiently, but also enhances the security and flexibility of your serverless applications. With these steps, you can easily scale this approach to manage other sensitive configuration values across your AWS infrastructure.
Follow my social handles for more articles:
Click and follow on