Josh Sherman
Parameter Store has slowly become one of my favorite things about AWS. It makes
it easy to share things between ECS tasks and services, and Lambdas. The
parameters can be references inside of a CodeBuild buildspec file, and it’s
all language agnostic, which is handy if you are running different technologies
across your infrastructure.
With support for both String and SecureString parameter types, you can
choose your own adventure in terms of how securely stored a parameter needs to
be. I opt to use SecureString for anything sensitive (passwords, API keys, and
such) and String for just about everything else.
While there is also a StringList type, I don’t ever use it. I’m sure it’s a
fine parameter type, but as all it does is store a comma separated list of
strings, and doesn’t have a SecureStringList counterpart, I don’t see the need
in reaching for it.
So let’s say you have a mix of String and SecureString parameters. We know
that if we want to fetch a SecureString, we have to pass in the
WithDecryption parameter when making the request. Does that mean
we’ll have to make separate requests, one with WithDecryption and one without
WithDecryption (or with it set to false)?
Nope, as it turns out, the WithDecryption value can be set when getting plain
ol’ String parameter types. It’s smart enough to know that the value doesn’t
need decrypted and will return the value. Because of this, we can fetch both
String and SecureString parameter types together:
import * as AWS from 'aws-sdk';
const ssm = new AWS.SSM();
const parameters = await ssm.getParameters({
Names: ['insecureParam', 'secureParam'],
WithDecryption: true,
}).promise();
