AWS SAM CloudFormation SSM Parameter secure string not supported workaround
It’s surprisingly difficult to use AWS SSM Parameter secure strings in CloudFormation templates.
If you try and have CloudFormation fetch the value of the SSM Parameter as a
AWS::SSM::Parameter::Value<String>
type, you’ll get this error:
An error occurred (ValidationError) when calling the CreateStack operation:
Parameters [/foobar/foo_param] referenced by template have types not supported
by CloudFormation.
If you try and have a CloudFormation parameter of type
AWS::SSM::Parameter::Value<SecureString>
, you’ll get this error:
An error occurred (ValidationError) when calling the CreateStack operation:
Template format error: Unrecognized parameter type: SecureString
If you try and use the special resolve
function in the CloudFormation template,
like this:
Foobar: '{{resolve:ssm-secure:foobar-param:1}}'
You’ll get an error like this:
An error occurred (ValidationError) when calling the CreateStack operation:
SSM Secure reference is not supported in:
[AWS::Lambda::Function/Properties/Environment/Variables]
So it seems you’re a bit stuck if you want to use an SSM Parameter secure string in a SAM CloudFormation template.
Here’s a workaround that uses bash and the aws cli to fetch the SSM Parameter secure string values and pass them in as CloudFormation parameters during the SAM deployment:
sam validate --lint
sam build --use-container
sam deploy \
--no-confirm-changeset \
--no-fail-on-empty-changeset \
--stack-name foobar-sam-stack \
--image-repository 111122223333.dkr.ecr.eu-west-2.amazonaws.com/foobar-sam-lambda-function \
--parameter-overrides \
$(cat ./deployment/development.params) \
"FoobarParameterOne=$(aws ssm get-parameter --with-decryption --name '/foobar/one/FOOBAR' | jq -r '.Parameter.Value')" \
"FoobarParameterTwo=$(aws ssm get-parameter --with-decryption --name '/foobar/two/FOOBAR' | jq -r '.Parameter.Value')"
The $(cat ./deployment/development.params)
lets you have non-sensitive
CloudFormation parameters in a file, which can be more convenient.
The sensitive values from the SSM Parameter secure strings are fetched using the
aws ssm get-parameter
command and passed in to the sam deploy
command.