How can I hide the parameters gotten from AWS SSM from CloudFormation?

sayopip · March 27, 2025, 9:09am

Hi, I’d like to hide the parameters gotten from AWS SSM as SecureString from CloudFormation when I deploy an application with Serverless Framework V4.

stages:
  default:
    params:
      param1: ${ssm:/path/to/app/param1}
provider:
  environment:
  PARAM1: ${param:param1}

For this configuration, PARAM1 can be seen in CloudFormation template like

"Variables": {
  "PARAM1": "encrypted-string"
}

In this case, what should I do? I wouldn’t like to show other people who can login to AWS console.

NBhat · March 30, 2025, 8:29am

Is it an option for you to read the parameter directly in the code using getParameter API where it’s required?
For eg. in JavaScript/sdk v2,

async function getSSMParameter(name) {
  const response = await ssm.getParameter({
    Name: name,
    WithDecryption: true,
  }).promise();
  return response.Parameter?.Value ?? null;
}

and invoke it as,
const secret = await getSSMParameter("/path/to/app/param1");

Topic		Replies	Views
Securing Environmental Variables Serverless Framework security	0	1102	November 8, 2018
AWS SSM Variables in serverless.yml Serverless Framework aws	7	14745	September 27, 2018
How to access ssm variables Serverless Framework aws , lambda , security , variables	3	2729	July 8, 2024
SSM SecureString decryption Serverless Framework	6	7548	August 15, 2018
Security issue? ${ssm:references} and .serverless/serverless-state.json Serverless Framework aws	0	605	November 22, 2020

How can I hide the parameters gotten from AWS SSM from CloudFormation?

Related topics