2

The use case: The database credentials are stored in Parameter Store for an AWS source Account and we need to share such credentials with other AWS Account.

I know the recommendation is to use System Manager, but that is not a valid option for custom reasons.

We won't access Parameter Store from a Lambda inside another AWS Account/VPC. Instead, we need to access such keys from the AWS CLI to fill in the application environment variables at build time - again, it's not ideal. ‍♂️

In summary, we have an AWS Cross-Account / Same region / IAM user (another account) scenario to access the Parameter Store keys from the source AWS Account.

Thanks in advance for any kind of guidance/direction

Richard Lee
  • 2,136
  • 2
  • 25
  • 33
  • 1
    Parameter Store isn't a VPC service, it doesn't run in your VPC, so no. You can do this with a cross-account IAM role, but the VPC is not involved at all. – Mark B Jun 23 '22 at 13:42
  • I just mentioned VPC Peering because I was with the Lambda scenario in my head (VPC Endpoints) but you are correct, there is no VPC Peering! I'll explore this cross-account role and edit the question to avoid confusion. Thanks for the guidance @MarkB – Richard Lee Jun 23 '22 at 13:48

2 Answers2

4

I think you could create an IAM Role in the account with parameter store, give that Role permission to access parameter store, and configure it to let the IAM user you created in the other account to assume that Role and do what it needs.

Something like aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session and then aws ssm get-parameter --name "MyStringParameter"

pearm
  • 56
  • 1
0

to make it short: its not possible to share parameter store, only secrets from secrets manager

Salix
  • 75
  • 8