How AWS Lambda works with SSM Secure string

Env: VScode, Mbpr, aws-cdk:1.25.0, Typescript


By default I hope I can inject SSM secure string to a Lambda, unfortunately, I failed and here are my CDK code.

// cdk.ts

const getXXX = new lambda.Function(this, "gsssus", {
        runtime: lambda.Runtime.NODEJS_10_X,
        code: lambda.AssetCode.fromAsset("lambda"),
        handler: "entry_point/gsss.handler",
        vpc: vpc,
        memorySize: 256,
        timeout: cdk.Duration.seconds(30),
        environment: {
          NODE_ENV: "dev",
          PrivateKey: ssm.StringParameter.valueForSecureStringParameter(this, "/xxx_KEY",1)


        new iam.PolicyStatement({
          actions: ["ssm:*"],
          resources: ["arn:aws:ssm:ap-xxxx-1:12345678:parameter/xxxkey/*"]


Inside my lambda code, I have to use AWS SDK and call SSM function to get SSM secure string every time once Lambda function is called.

// src/index.handler

const AWS = require("aws-sdk");
const sm = new AWS.SSM();

const handler = async (event, context, callback) => {
    try {
        const sbPrivateKey = await sm.getParameter({
          Name: "/xxx/PRIVATE_KEY",
          WithDecryption: true,
        console.log(await sbPrivateKey.Parameter.Value);
    } catch (e)  {
        return resError(e);

module.exports.handler = handler

Cloudformation limitation, See

Photo by Markos Mant on Unsplash