archive-gh-me/serverless
1
0
Fork 0
mirror of https://github.com/serverless/serverless.git synced 2026-01-18 14:58:43 +00:00
Code Issues Projects Releases Wiki Activity
serverless/docs/guides/variables/ssm.md
Tomasz Czubocha f25d1b631f
style: fix prettier formatting (#12591)
2024-06-11 17:11:50 +02:00

116 lines
3.6 KiB
Markdown
Raw Permalink Blame History

<!--
title: Serverless Framework - Variables - AWS SSM & Secrets Manager
menuText: AWS SSM Parameter Store & Secrets Manager
menuOrder: 11
description: How to reference AWS SSM Parameter Store & Secrets Manager
layout: Doc
-->
<!-- DOCS-SITE-LINK:START automatically generated -->
### [Read this on the main serverless docs site](https://www.serverless.com/framework/docs/guides/variables/ssm)
<!-- DOCS-SITE-LINK:END -->
# Reference AWS SSM Parameter Store & Secrets Manager
You can reference SSM Parameters as the source of your variables with the `ssm:/path/to/param` syntax. For example:
```yml
service: ${ssm:/path/to/service/id}-service
provider:
name: aws
functions:
hello:
name: ${ssm:/path/to/service/myParam}-hello
handler: handler.hello
```
In the above example, the value for the SSM Parameters will be looked up and used to populate the variables.
You can also reference SSM Parameters in another region with the `ssm(REGION):/path/to/param` syntax. For example:
```yml
service: ${ssm(us-west-2):/path/to/service/id}-service
provider:
name: aws
functions:
hello:
name: ${ssm(ap-northeast-1):/path/to/service/myParam}-hello
handler: handler.hello
```
## AWS Secrets Manager
Variables in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) can be referenced [using SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html), just use the `ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager` syntax. For example:
```yml
service: new-service
provider: aws
functions:
hello:
name: hello
handler: handler.hello
custom:
secret: ${ssm:/path/to/secureparam}
# AWS Secrets manager parameter
supersecret: ${ssm:/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager}
```
In this example, the serverless variable will contain the decrypted value of the secret.
Variables can also be object, since AWS Secrets Manager can store secrets not only in plain text but also in JSON.
If the above secret `secret_ID_in_Secrets_Manager` is something like below,
```json
{
"num": 1,
"str": "secret",
"arr": [true, false]
}
```
variables will be resolved like
```yml
service: new-service
provider: aws
functions:
hello:
name: hello
handler: handler.hello
custom:
supersecret:
num: 1
str: secret
arr:
- true
- false
```
### Resolve `StringList` as array of strings
Same `StringList` type parameters are automatically detected and resolved to array form. (Note: you can turn off resolution to array by passing `raw` instruction into variable as: `${ssm(raw):/path/to/stringlistparam}`, if you need to also pass custom region, put it first as: `${ssm(eu-west-1, raw):/path/to/stringlistparam}`)
```yml
service: new-service
provider: aws
functions:
hello:
name: hello
handler: handler.hello
custom:
myArrayVar: ${ssm:/path/to/stringlistparam}
```
### Resolution of non plain string types
Other types as `SecureString` and `StringList` are automatically resolved into expected forms.
#### Auto decrypting of `SecureString` type parameters.
All `SecureString` type parameters are automatically decrypted, and automatically parsed if they export stringified JSON content (Note: you can turn off parsing by passing `raw` instruction into variable as: `${ssm(raw):/path/to/secureparam}`, if you need to also pass custom region, put it first as: `${ssm(eu-west-1, raw):/path/to/secureparam}`)
In order to get the encrypted content, you can pass `noDecrypt` instruction into variable as: `${ssm(noDecrypt):/path/to/secureparam}` (it can be passed aside of region param as e.g.: `${ssm(eu-west-1, noDecrypt):/path/to/secureparam})`
Reference in New Issue View Git Blame Copy Permalink