AWS SAM CloudFormation SSM Parameter secure string not supported workaround

2023-05-16 (Tuesday) | 300 words (~2 minutes reading)

It’s surprisingly difficult to use AWS SSM Parameter secure strings in CloudFormation templates.

If you try and have CloudFormation fetch the value of the SSM Parameter as a AWS::SSM::Parameter::Value<String> type, you’ll get this error:

An error occurred (ValidationError) when calling the CreateStack operation:
Parameters [/foobar/foo_param] referenced by template have types not supported
by CloudFormation.

If you try and have a CloudFormation parameter of type AWS::SSM::Parameter::Value<SecureString>, you’ll get this error:

An error occurred (ValidationError) when calling the CreateStack operation:
Template format error: Unrecognized parameter type: SecureString

If you try and use the special resolve function in the CloudFormation template, like this:

Foobar: '{{resolve:ssm-secure:foobar-param:1}}'

You’ll get an error like this:

An error occurred (ValidationError) when calling the CreateStack operation:
SSM Secure reference is not supported in:
[AWS::Lambda::Function/Properties/Environment/Variables]

So it seems you’re a bit stuck if you want to use an SSM Parameter secure string in a SAM CloudFormation template.

Here’s a workaround that uses bash and the aws cli to fetch the SSM Parameter secure string values and pass them in as CloudFormation parameters during the SAM deployment:

sam validate --lint

sam build --use-container 

sam deploy \
  --no-confirm-changeset \
  --no-fail-on-empty-changeset \
  --stack-name foobar-sam-stack \
  --image-repository 111122223333.dkr.ecr.eu-west-2.amazonaws.com/foobar-sam-lambda-function \
  --parameter-overrides \
    $(cat ./deployment/development.params) \
    "FoobarParameterOne=$(aws ssm get-parameter --with-decryption --name '/foobar/one/FOOBAR' | jq -r '.Parameter.Value')" \
    "FoobarParameterTwo=$(aws ssm get-parameter --with-decryption --name '/foobar/two/FOOBAR' | jq -r '.Parameter.Value')"

The $(cat ./deployment/development.params) lets you have non-sensitive CloudFormation parameters in a file, which can be more convenient.

The sensitive values from the SSM Parameter secure strings are fetched using the aws ssm get-parameter command and passed in to the sam deploy command.


Tech mentioned