Accessing SSM variables with Serverless

Question

I would like to use SSM Parameters in Serverless Variables.

Following the docs, I ran this command:

aws ssm put-parameter --name foo --value bar --type SecureString

And I added this to my serverless.yml:

custom:
  foo: ${ssm:foo}

When I deploy, I get this warning however:

Serverless Warning --------------------------------------

  A valid SSM parameter to satisfy the declaration 'ssm:foo' could not be found.

How do I access this variable? Thanks!

Answer 1

Check your IAM policy. To get the parameters, the user doing the deployment needs access to SSM. This offers full access. See the docs to narrow it down a bit (ie: GetParameters, GetParameter).

  "Effect": "Allow",
  "Action": [
    "ssm:*"
  ],
  "Resource": [
    "*"
  ]

Answer 2

Add this to the provider section in serverless.yml file

 iamRoleStatements:
- Effect: "Allow"
  Action: 
    - "ssm:GetParameters"
  Resource: "*"

Answer 3

to use SSM variables, you need to prefix /aws/reference/secretsmanager/

example

${ssm:/aws/reference/secretsmanager/${self:provider.stage}/service/mysecret~true}

Answer 4

if the parameter is a SecureString, you need to add ~true after the path to the parameter on the serverless.yml file, as explained here: https://serverless.com/framework/docs/providers/aws/guide/variables#reference-variables-using-the-ssm-parameter-store

This will tell the framework to decrypt the value. Make sure that you have permissions to use the key used to encrypt the parameter.

Answer 5

I needed to set the same region for both the serverless function, as well as the ssm variable assignment:

aws ssm put-parameter --name foo--value bar --type SecureString --region us-east-1