Env: VScode, Mbpr, aws-cdk:1.25.0, Typescript
Implementation
By default I hope I can inject SSM secure string to a Lambda, unfortunately, I failed and here are my CDK code.
// cdk.ts
const getXXX = new lambda.Function(this, "gsssus", {
runtime: lambda.Runtime.NODEJS_10_X,
code: lambda.AssetCode.fromAsset("lambda"),
handler: "entry_point/gsss.handler",
vpc: vpc,
memorySize: 256,
timeout: cdk.Duration.seconds(30),
environment: {
NODE_ENV: "dev",
PrivateKey: ssm.StringParameter.valueForSecureStringParameter(this, "/xxx_KEY",1)
}
});
getXXX.role?.addToPolicy(
new iam.PolicyStatement({
actions: ["ssm:*"],
resources: ["arn:aws:ssm:ap-xxxx-1:12345678:parameter/xxxkey/*"]
})
)Solution
Inside my lambda code, I have to use AWS SDK and call SSM function to get SSM secure string every time once Lambda function is called.
// src/index.handler
const AWS = require("aws-sdk");
const sm = new AWS.SSM();
const handler = async (event, context, callback) => {
try {
const sbPrivateKey = await sm.getParameter({
Name: "/xxx/PRIVATE_KEY",
WithDecryption: true,
}).promise();
console.log(await sbPrivateKey.Parameter.Value);
} catch (e) {
logger.error(e);
return resError(e);
}
module.exports.handler = handlerCloudformation limitation, See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#aws-ssm-parameter-types
Photo by Markos Mant on Unsplash