I’m trying to extract variables from SSM and for String type the ${sam:/path/to/param} works perfectly, but I’m struggling trying to extract params from SSM that are of type SecureString. As per the SLS docs (https://serverless.com/framework/docs/providers/aws/guide/variables/) I’m using ${ssm:/path/to/secureparam~true} but it always returns undefined.
I guess my question is, how does SLS know which KMS key to decrypt this with? I’m missing part of puzzle here.
A quick look at the docs (because I haven’t used this functionality myself yet) suggests that the SSM service uses a KMS key with the alias aws/ssm (which is automatically created for you). This is a common pattern used by other KMS-backed encryption services (e.g. EBS, etc).
I’m not sure if this is configurable, but presumably (again, untried) you could update the alias to point at the key you want it to use (rather than the one that was created by default).
I’m working on ssm right now too but I can’t even deploy with it. did you need to add any configuration settings other than creating the secure strings? I get an error in a different part of my serverless.yml if the ssm: prefix is present).
1.22.0 I’ve raised a case that has been referenced to yours. I think once I get ready to go to production for now I’ll pass the region in the cli arguments.
@lorengordon I’m running into this issue now, can you share the syntax you used to get it to work? Also, did you use the automatic key or did you force it to use a specific key?