SSM SecureString decryption

Hi there,

I’m trying to extract variables from SSM and for String type the ${sam:/path/to/param} works perfectly, but I’m struggling trying to extract params from SSM that are of type SecureString. As per the SLS docs ( I’m using ${ssm:/path/to/secureparam~true} but it always returns undefined.
I guess my question is, how does SLS know which KMS key to decrypt this with? I’m missing part of puzzle here.

Any help wild be greatly appreciated. Thanks

I’m using SLS 1.22.0

A quick look at the docs (because I haven’t used this functionality myself yet) suggests that the SSM service uses a KMS key with the alias aws/ssm (which is automatically created for you). This is a common pattern used by other KMS-backed encryption services (e.g. EBS, etc).

I’m not sure if this is configurable, but presumably (again, untried) you could update the alias to point at the key you want it to use (rather than the one that was created by default).

I’m working on ssm right now too but I can’t even deploy with it. did you need to add any configuration settings other than creating the secure strings? I get an error in a different part of my serverless.yml if the ssm: prefix is present).

Hi, thanks for the reply. You are right, I wasn’t using the correct alias. All works now. Thanks for your help @rowanu

1 Like

@delprofundo What version of sls are you using? Support for the SSM syntax was added in v1.21.1.

1 Like

1.22.0 I’ve raised a case that has been referenced to yours. I think once I get ready to go to production for now I’ll pass the region in the cli arguments.

@lorengordon I’m running into this issue now, can you share the syntax you used to get it to work? Also, did you use the automatic key or did you force it to use a specific key?