Middy ssm middleware

This middleware fetches parameters from AWS Systems Manager Parameter Store.

Parameters to fetch can be defined by path and by name (not mutually exclusive). See AWS docs here.

Parameters can be assigned to the Node.js process.env object by setting the setToEnv flag to true. They can also be assigned to the function handler's context object by setting the setToContext flag to true. By default all parameters are added with uppercase names.

The Middleware makes a single API request to fetch all the parameters defined by name, but must make an additional request per specified path. This is because the AWS SDK currently doesn't expose a method to retrieve parameters from multiple paths.

For each parameter defined by name, you also provide the name under which its value should be added to process.env or context. For each path, you instead provide a prefix, and by default the value import each parameter returned from that path will be added to process.env or context with a name equal to what's left of the parameter's full name after the defined path, with the prefix prepended. If the prefix is an empty string, nothing is prepended. You can override this behaviour by providing your own mapping function with the getParamNameFromPath config option.

Install

To install this middleware you can use NPM:

npm install --save @middy/ssm

Options

• AwsClient (object) (default AWS.SSM): AWS.SSM class constructor (e.g. that has been instrumented with AWS X-Ray). Must be from aws-sdk v2.
• awsClientOptions (object) (optional): Options to pass to AWS.SSM class constructor.
• awsClientAssumeRole (string) (optional): Internal key where role tokens are stored. See @middy/sts on to set this.
• awsClientCapture (function) (optional): Enable AWS X-Ray by passing captureAWSClient from aws-xray-sdk in.
• fetchData (object) (required): Mapping of internal key name to API request parameter Names/Path. SecureString are automatically decrypted.
• disablePrefetch (boolean) (default false): On cold start requests will trigger early if they can. Setting awsClientAssumeRole disables prefetch.
• cacheKey (string) (default ssm): Cache key for the fetched data responses. Must be unique across all middleware.
• cacheExpiry (number) (default -1): How long fetch data responses should be cached for. -1: cache forever, 0: never cache, n: cache for n ms.
• setToEnv (boolean) (default false): Store role tokens to process.env. Storing secrets in process.env is considered security bad practice
• setToContext (boolean) (default false): Store role tokens to request.context.

NOTES:

• Lambda is required to have IAM permission for ssm:GetParameters and/or ssm:GetParametersByPath depending on what you're requesting.
• SSM has throughput limitations. Switching to Advanced Parameter type or increasing maxRetries and retryDelayOptions.base in awsClientOptions may be required.
• setToEnv and setToContext are included for legacy support and should be avoided for performance and security reasons. See main documentation for best practices.
• setToEnv can only assign secrets of type string

Sample usage

import middy from '@middy/core'
import ssm from '@middy/ssm'

const handler = middy((event, context) => {
  return {}
})

let globalDefaults = {}
handler
  .use(ssm({
    fetchData: {
      accessToken: '/dev/service_name/access_token',  // single value
      dbParams: '/dev/service_name/database/',        // object of values, key for each path
      defaults: '/dev/defaults'
    },
    setToContext: true
  }))
  .before((request) => {
    globalDefaults = request.context.defaults.global
  })

import middy from '@middy/core'
import {getInternal} from '@middy/util'
import ssm from '@middy/ssm'

const handler = middy((event, context) => {
  return {}
})

let globalDefaults = {}
handler
  .use(ssm({
    fetchData: {
      defaults: '/dev/defaults'
    },
    cacheKey: 'ssm-defaults'
  }))
  .use(ssm({
    fetchData: {
      accessToken: '/dev/service_name/access_token',  // single value
      dbParams: '/dev/service_name/database/',        // object of values, key for each path
    },
    cacheExpiry: 15*60*1000,
    cacheKey: 'ssm-secrets'
  }))
  // ... other middleware that fetch
  .before(async (request) => {
    const data = await getInternal(['accessToken','dbParams','defaults'], request)
    Object.assign(request.context, data)
  })

Middy documentation and examples

For more documentation and examples, refers to the main Middy monorepo on GitHub or Middy official website.

Contributing

Everyone is very welcome to contribute to this repository. Feel free to raise issues or to submit Pull Requests.

License

Licensed under MIT License. Copyright (c) 2017-2021 Luciano Mammino, will Farrell, and the Middy team.