9

I am deploying apps to AWS via serverless. And need to read values from secretmanager during deployment. I have read this doc: https://www.serverless.com/framework/docs/providers/aws/guide/variables/#reference-variables-using-the-ssm-parameter-store

it shows how to read it:

custom: supersecret: ${ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager~true} however, it can be used to read a string value from secret manager. My secret is an object which includes key/value pairs. How can I read the key inside a secret?

I have tried something like this:

custom: supersecret: ${ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager:MY_KEY~true}

custom: supersecret: ${ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager/MY_KEY~true}

but none of them working.

Joey Yi Zhao
  • 37,514
  • 71
  • 268
  • 523

1 Answers1

11

Serverless will resolve the object for you.

Assuming that the content of your secret_ID_in_Secrets_Manager looks like this:

{
  "foo": "foo",
  "bar": "bar"
}

Then if you define your custom variable in serverless.yml like this:

custom:
  supersecret: ${ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager~true}

Then this will resolve to:

custom:
  supersecret:
    foo: foo
    bar: bar

You can reference them inside serverless.yml by using ${self:custom.supersecret.foo} and ${self:custom.supersecret.bar}.

See the Serverless documentation and search for Variables can also be object, since AWS Secrets Manager can store secrets not only in plain text but also in JSON..

yvesonline
  • 4,609
  • 2
  • 21
  • 32
  • 11
    Keep in mind that Serverless Framework is about to switch to a new SSM Variable resolution soon (at the time of the comment it can be manually enabled with `variablesResolutionMode: 20210326`). In this mode, "~true" has to be omitted. Otherwise, it will be considered a part of the secret name – Yevhenii Hordashnyk Jul 09 '21 at 07:46