ssm: support cross-account ssm get parameter #30603
Comments
pahud
added
feature-request
|
internal tracking: D140572316 |
|
Looks like it won't be possible until CFN supports cross-account parameter read. |
|
|
related to #29292 |
|
OK I figured it out how to do that with CDK. Assuming we have both stack.ts export class ParameterProducer extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// create a ssm advanced parameter
const ssmparam = new ssm.StringParameter(this, 'param', {
parameterName: 'dummyName',
tier: ssm.ParameterTier.ADVANCED,
stringValue: 'dummyValue',
});
const consumerAccount = 'CONSUMER_ACCOUNT_ID';
// create the resource share
new ram.CfnResourceShare(this, 'resourceShare', {
name: 'dummyName',
allowExternalPrincipals: true,
principals: [ consumerAccount ],
resourceArns: [ ssmparam.parameterArn ],
});
new CfnOutput(this, 'producedParamArn', { value: ssmparam.parameterArn})
}
}
export class ParameterStringCrossAccount {
static fromArn(scope: Construct, id: string, arn: string): string {
const cfnparam = new CfnParameter(scope, id, {
type: 'AWS::SSM::Parameter::Value<String>',
default: arn,
});
return cfnparam.valueAsString;
}
}
export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// build the ARN of the parameter shared by the producer
const xaccountParameterArn = Stack.of(this).formatArn({
service: 'ssm',
region: 'us-east-1',
account: 'PRODUCER_ACCOUNT_ID',
resource: 'parameter',
resourceName: 'dummyName',
});
const remoteValue = ParameterStringCrossAccount.fromArn(this, 'remote-value', xaccountParameterArn)
new CfnOutput(this, 'param-value', { value: remoteValue });
}
}app.ts const producerEnv = { region: 'us-east-1', account: 'PRODUCER_ACCOUNT_ID' };
const consumerEnv ={ region: process.env.CDK_DEFAULT_REGION, account: process.env.CDK_DEFAULT_ACCOUNT };
new ParameterProducer(app, 'ParameterProducer', { env: producerEnv });
new DummyStack(app, 'dummy-stack', { env: consumerEnv });Now, deploy the You need to accept the sharing invitation from the RAM console of the Consumer account. This can not be done with CDK at this moment. Now, try to get that using AWS CLI from Consumer account It works! Now, deploy the consumer stack using consumer account: You should see the value returned: Outputs: |
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
|
Update: cross-account SSM Parameters sharing is supported now. Check the doc for more details about the fromStringParameterArn() method. If you need to know about SSM in AWS CDK, feel free to reference this blog post - SSM Parameters in AWS CDK from community.aws. |
Describe the feature
If ssm parameter is created in Account A sharing with Account B through RAM. Account B would not be able to reference that using fromStringParameterAttributes. Only valueFromLookup would support.
This seems to be a blocker.
Use Case
cross-account ssm parameter referencing without lookup with SDK
Proposed Solution
I guess we have two options
Other Information
No response
Acknowledgements
CDK version used
2.146.0
Environment details (OS name and version, etc.)
all
The text was updated successfully, but these errors were encountered: