Search code examples
amazon-web-servicesaws-ssm

SSM Parameter store - how to dynamically select version of parameter I need to access

I am using SSM Secure Parameter store to store a password for an RDS DB.

  • I have CloudFormation that
    • Generates the password and stores it under a key with a specific name. The name is generated based one of the input parameters to the CloudFormation
    • The parameter is stored using an IAM role created by the CloudFormation
  • Another CloudFormation stack that runs after
    • Uses the same IAM role to retrieve the parameters and deploy RDS using the parameter as the password
    • That CloudFormation uses ssm-secure: like this
            "MasterUserPassword": {
                "Fn::Sub": "{{resolve:ssm-secure:${WorkshopName}:1}}"
            },

Note the "1". The SSM Secure String Parameters docs are very clear: An integer that specifies the version of the parameter to use. You must specify the exact version. You cannot currently specify that AWS CloudFormation use the latest version of a parameter

That's the bummer

  • Using the latest version is exactly what I want to do
  • Under some circumstances I can end up with an old key in the version 1 slot. Then everything fails as the first CFN stack creates v2, and the next stack tries to retrieve v1 and fails (it was created under a different IAM Role and fails with The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.)

Any programmatic suggestion on how I might implement more resilient logic to either

  • always grab the latest version, or
  • catch failures when it tries to get v1, and then increment versions until is succeeds
Solution

  • Looks here like the behavior has changed:

    version

    An integer that specifies the version of the parameter to use. If you don't specify the exact version, CloudFormation uses the latest version of the parameter whenever you create or update the stack. For more information, see Working with parameter versions in the AWS Systems Manager User Guide

    Optional.

    So now it can access the latest version