Search code examples
javaamazon-web-servicesscalaaws-glueaws-ssm

Accessing SecureString SSM parameters with Scala

I'm using a Scala Script in Glue to access a third party vendor with a dependent library. You can see the template I'm working off here

This solution works well, but runs with the parameters stored in the clear. I'd like to move those to AWS SSM and store them as a SecureString. To accomplish this, I believe the function would have to pull a CMK from KMS, then pull the SecureString and use the CMK to decrypt it.

I poked around the internet trying to find code examples for something as simple as pulling an SSM parameter from within Scala, but I wasn't able to find anything. I've only just started using the language and I'm not very familiar with its structure, is the expectation that aws-java libraries would also work in Scala for these kinds of operation? I've tried this but am getting compilation errors in Glue. Just for example

import software.amazon.awscdk.services.ssm.StringParameter;

  
object SfdcExtractData {  
  def main(sysArgs: Array[String]) {  
    print("starting")
    
    String secureStringToken = StringParameter.valueForSecureStringParameter(this, "my-secure-parameter-name", 1);   // must specify version

Gives a compilation error, although aws glue doesn't good job of telling me what the issue is.

Thank you for your time! If you have any code examples, insight, or resources please let me know. My job is running Scala 2 on Spark 2.4

Solution

  • was able to do this with the following code snippet

    import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient
import com.amazonaws.services.simplesystemsmanagement.model.GetParameterRequest
import com.amazonaws.services.simplesystemsmanagement.model.GetParameterResult

    // create a client AWSSimpleSystemsManagementClient object
    val client = new AWSSimpleSystemsManagementClient()

    // Create a GetParameterRequest object, which send the actual request
    val req = new GetParameterRequest()

    // set the name of the parameter in the object. 
    req.setName("test")
    // Only needed if the parameter is a secureString encrypted with the default kms key. If you're using a CMK you need to add the glue user as a key user. To do so, navigate to KMS console --> Customer Managed Keys --> Click on KMS key used for encryption --> Under Key policies --> Key user --> Add ( Add the Glue role )
    req.setWithDecryption(true)


    // call the getParameter() function on the object
    val param = client.getParameter(req)

    Remember to give your glue role iam permissions to ssm too!