Hi, I’d like to hide the parameters gotten from AWS SSM as SecureString from CloudFormation when I deploy an application with Serverless Framework V4.
stages:
default:
params:
param1: ${ssm:/path/to/app/param1}
provider:
environment:
PARAM1: ${param:param1}
For this configuration, PARAM1 can be seen in CloudFormation template like
"Variables": {
"PARAM1": "encrypted-string"
}
In this case, what should I do? I wouldn’t like to show other people who can login to AWS console.
NBhat
March 30, 2025, 8:29am
2
Is it an option for you to read the parameter directly in the code using getParameter API where it’s required?
async function getSSMParameter(name) {
const response = await ssm.getParameter({
Name: name,
WithDecryption: true,
}).promise();
return response.Parameter?.Value ?? null;
}
and invoke it as,
const secret = await getSSMParameter("/path/to/app/param1");
Secrets in user-data is a bad idea. Any exploit that an attacker can make a web request gives them easy access to your secrets. Anyone with legitimate access to the box will have access to it
192.168.100.1 192.168.1.1