Blog

How to copy AWS SSM Parameters from one account to another

21 Dec, 2020
Xebia Background Header Wave

Two years ago, I created a utility to copy AWS SSM parameters from one account to another. I published the utility to pypi.org, without writing a blog about it. As I found out that quite a number of people are using the utility, I decided to unveil it in this blog.
I never dared to publish the existence of this utility, as it goes against my principles of infrastructure as code
and immutable infrastructure. After two years, I am finally ready to admit I wrote it.

a word of caution

Before we continue, note that this utility is dangerous in two ways:

  1. you can overwrite existing parameter values
  2. it allows people to exfiltrate your parameters in no time.
    To counter the first, you have to explicit request to overwrite existing values. There is nothing
    to counter the second, except for creating proper access policies. I found peace in the fact that you can extract all the secrets using the following standard AWS CLI command too:
aws ssm get-parameters-by-path --path / --with-decryption > all-the-secrets.json

So here it is!

installing the utility

To install the utility, type:

pip install aws-ssm-copy

What does it do?

The utility allows you to:

  1. copy parameters in a parameter store to another account
  2. copy parameters in the parameter store to another region in the same account
    You can:
  3. select individual parameters
  4. recurse down a path
  5. change the target path
    Below you will find a couple of examples:

copying parameters to another region

To copy all parameters to another region, type:

aws-ssm-copy \
   --dry-run \
   --source-region eu-central-1 \
   --region eu-west-1 \
   --recursive / 

Remove the --dry-run to actually perform the copy.

copying parameters to another account

To copy all parameters from one account to another account, type:

aws-ssm-copy \
   --dry-run \
   --source-profile binx-io \
   --recursive /

Remove the --dry-run to actually perform the copy.

copying parameters to another path

To copy all parameters to another path, type:

aws-ssm-copy \
   --dry-run \
   --target-path /old-dev \
   --recursive /dev 

Remove the --dry-run to actually perform the copy.

other options

The other available command line options are:

| option | explanation |
| — | — |
| –one-level | one-level copy |
| –overwrite | existing values |
| –keep-going | as much as possible, even after an error |
| –key-id ID | to use for parameter values in the destination |
| –clear-key-id | clear the KMS key id associated with the parameter |

Conclusion

The aws-ssm-copy utility provides an easy way to copy AWS SSM parameters between regions and accounts. Checkout the source code on github and use with care!
Image by Astrid Schmid from Pixabay

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts