0

I have SAM template which deploys few lambdas and I would like to use some parameters I created in SSM parameters store.

I created 2 parameters for my tests:

  • /test/param which is a simple string
  • /test/param/encrypt which contains the same string as /test/param but is encrypted by a KMS key

In my SAM template, I'm trying to get the the value of /test/params by following this blog post. Here is a snipper of my template:

Parameters:
  AuthPasswordPublic:
    Type: AWS::SSM::Parameter::Value<String>
    NoEcho: true
    MinLength: 8
    Description: Password for the "public" part of the website
    Default: /test/param

...

Resources:
  Auth:
    Type: AWS::Serverless::Function
    Properties:
      Runtime: nodejs8.10
      Handler: auth.handler
      CodeUri: ./dist
      Environment:
        Variables:
          PASSWORD_PUBLIC: !Ref AuthPasswordPublic
          SEED: !Ref AuthSeed
      Events:
        GetResource:
          Type: Api
          Properties:
            Path: /auth
            Method: post

This should theoretically works when deployed onto AWS. However, I would like to test it locally first. I'm already aws-sam-local and my credentials are properly configured on my local machine as I'm able to use the AWS CLI. But when running this locally, the value of the envvar PASSWORD_PUBLIC is empty. I tested both the plain text en encrypted SSM parameters but the results are the same.

I would suspect that aws-sam-cli does not support SSM parameters yet but couldn't find any information about that online, nor on the GitHub issues/PR. Any ideas of what is going on here?

Thomas Bouron
  • 613
  • 3
  • 11
  • try using [serverless-offline](https://serverless.com/framework/docs/providers/aws/guide/variables#reference-variables-using-the-ssm-parameter-store). – Eliran Malka Aug 12 '18 at 22:55

1 Answers1

1

aws-sam-cli uses the docker-lambda container, which according to the docs creates:

A sandboxed local environment that replicates the live AWS Lambda environment almost identically...

This means that components such as AWS SSM are not re-created within the docker container. You can check the open Github issue here.

So you may have to resort to retrieving the SSM parameters from the host (with aws cli configured), and pass them into the container when invoking sam-cli:

PASSWORD_PUBLIC=$(aws ssm get-parameter --with-decryption --name "/test/param/encrypt") sam local start-api
moebius
  • 2,061
  • 11
  • 20