Parsing of ssm JSON values does not work + docs out of date?

codan84 · June 8, 2021, 3:49pm

I am trying to pull a value from SSM that is a stringified JSON and assign it to a resource policy of API gateway.
According to docs (https://www.serverless.com/framework/docs/providers/aws/guide/variables#resolution-of-non-plain-string-types) SecureString params are automatically parsed if they contain JSON. so I have tried this:

provider:
  resourcePolicy: ${ssm:/my/resource/policy}

This did not even get decrypted (according to docs above this should work tho). then I found somewhere on a forum that I need to pass ~true to decrypt (so here - docs out of date):

provider:
  resourcePolicy: ${ssm:/my/resource/policy~true}

This decrypts, but the policy statement is stringified json:

"Policy": {
          "Version": "2012-10-17",
          "Statement": [
            " [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"execute-api:Invoke\",\n      \"Resource\": \"arn:aws:execute-api:eu-west-1:111111111:*\",\n      \"Principal\": \"*\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"aws:SourceVpce\": [\n            \"vpc-1111111\"\n          ]"
          ]
        }

So here, this clearly does not work, right?
I am confident that my ssm param is correct. To test it I created a JS file to fetch/parse it and then imported the parsed value in serverless config:

const AWS = require('aws-sdk')
const SSM = require('aws-sdk/clients/ssm')

// https://www.serverless.com/framework/docs/providers/aws/guide/variables/#reference-variables-in-javascript-files
module.exports = async ({ options, resolveConfigurationProperty }) => {
  // So that we can run it locally too!
  if (options['aws-profile']) {
    AWS.config.credentials = new AWS.SharedIniFileCredentials({
      profile: options['aws-profile'],
    })
  }

  const region = await resolveConfigurationProperty(['provider', 'region'])
  const ssm = new SSM({ region })

  const policy = await ssm
    .getParameter({
      Name: '/my/resource/policy',
      WithDecryption: true,
    })
    .promise()

  return JSON.parse(policy.Parameter.Value)
}

And then in Serverless.yml:

provider:
  resourcePolicy: ${file(./serverless-get-policy.js)}

Again, this works lovely, proving that value in SSM is a correct stringified JSON.
Am I missing something? Docs are clearly out of date…

thomykut · June 6, 2023, 5:50pm

Same problem here. This happened when upgrading from v2 to v3

Topic		Replies	Views
SSM SecureString decryption Serverless Framework	6	7421	August 15, 2018
AWS SSM Variables in serverless.yml Serverless Framework aws	7	14330	September 27, 2018
Deployment to AWS fails when trying to read API Key value from SSM parameter store Serverless Framework api-gateway , variables	0	1963	July 29, 2020
How to access ssm variables Serverless Framework aws , lambda , security , variables	3	2467	July 8, 2024
Security issue? ${ssm:references} and .serverless/serverless-state.json Serverless Framework aws	0	599	November 22, 2020

Parsing of ssm JSON values does not work + docs out of date?

Related topics