5

I know in Cloudformation you can create Parameters using SSM, but I really want to know if you can use SSM in environment variables for a lambda. I know I can put the SSM paths and use the sdk in the code to get those values, but maybe there is a way to make that automatically without fetching values from code.

Thanks

Alastair McCormack
  • 26,573
  • 8
  • 77
  • 100
Leandro
  • 870
  • 2
  • 13
  • 27

2 Answers2

6

You can directly fetch the values within CloudFormation from parameter store and pass it as an environment variable to the lambda using dynamic reference.

For example:

  ServerlessTestLambda:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: src
      Handler: test-env-var.handler
      Role: !GetAtt BasicLambdaRole.Arn
      Environment:
        Variables:
          ParamStoreVar: "{{resolve:ssm:/test/ssmparam:3}}"
      Events:
        LambdaSchedule:
          Type: Schedule
          Properties:
            Schedule: rate(3 minutes)

This is the lambda I created to test, and as you can see the value of the key would be replaced for the environment variable ParamStoreVar

Note - You cannot replace ssm securestring in the environment variable for obvious security reasons.

For more information: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

Biplob Biswas
  • 1,761
  • 19
  • 33
  • What about secure string? I am getting error " FAILED. Reason: SSM Secure reference is not supported in: [AWS::Lambda::Function/Properties/Environment/Variables/API_KEY" – ifti Oct 16 '19 at 10:13
  • I already added a note in my answer for your question, ssm-secure is not supported for obvious security issues. For secure ssm you need to resolve it within the lambda – Biplob Biswas Oct 16 '19 at 11:57
  • You can encrypt environment variables: ttps://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/encrypting-lambda-environment-variables.html – Andriy Kharchuk Jun 15 '21 at 22:22
2

You can also define it as a parameter and then reference it in your template. One advantage to doing it this way is that you don't have to worry about specifying the version number. (I can imagine that there may be circumstances where people would say "¿No version number is an advantage? Bah!".)

Parameters:
  SomeParameter:
    Type: AWS::SSM::Parameter::Value<String>
    Default: '/path/to/my-param'

...

MyFunction:
  Type: AWS::Serverless::Function
  Properties:
    ...
    Environment:
      Variables:
        MY_ENVIRONMENT_VAR: !Ref SomeParameter

When you look at the Parameters tab in CloudFormation (in the AWS Console) now you'll only see the string '/path/to/my-param' next to the key SomeParameter; however, when you go look at your Lambda function (in the environment variables section), you'll see that it has resolved to whatever value is stored for the parameter named /path/to/my-param.

Matt
  • 907
  • 1
  • 8
  • 17
  • what if the value of the SSM parameter is modified after the CFT has been created? as you're not specifying a version of the parameter value what version is it referencing? – aydow May 04 '21 at 01:13
  • @aydow If the value is modified, the lambda stil will have the old value, because it's static. For dynamic, you need to call the SSM API to read the actual value. – 0zkr PM Jun 08 '22 at 19:56