Two years ago, I created a utility to copy AWS SSM parameters from one account to another. I published the utility to pypi.org, without writing a blog about it. As I found out that quite a number of people are using the utility, I decided to unveil it in this blog.
I never dared to publish the existence of this utility, as it goes against my principles of infrastructure as code
and immutable infrastructure. After two years, I am finally ready to admit I wrote it.
a word of caution
Before we continue, note that this utility is dangerous in two ways:
- you can overwrite existing parameter values
- it allows people to exfiltrate your parameters in no time.
To counter the first, you have to explicit request to overwrite existing values. There is nothing
to counter the second, except for creating proper access policies. I found peace in the fact that you can extract all the secrets using the following standard AWS CLI command too:
aws ssm get-parameters-by-path --path / --with-decryption > all-the-secrets.json
So here it is!
installing the utility
To install the utility, type:
pip install aws-ssm-copy
What does it do?
The utility allows you to:
- copy parameters in a parameter store to another account
- copy parameters in the parameter store to another region in the same account
You can: - select individual parameters
- recurse down a path
- change the target path
Below you will find a couple of examples:
copying parameters to another region
To copy all parameters to another region, type:
aws-ssm-copy \
--dry-run \
--source-region eu-central-1 \
--region eu-west-1 \
--recursive /
Remove the --dry-run
to actually perform the copy.
copying parameters to another account
To copy all parameters from one account to another account, type:
aws-ssm-copy \
--dry-run \
--source-profile binx-io \
--recursive /
Remove the --dry-run
to actually perform the copy.
copying parameters to another path
To copy all parameters to another path, type:
aws-ssm-copy \
--dry-run \
--target-path /old-dev \
--recursive /dev
Remove the --dry-run
to actually perform the copy.
other options
The other available command line options are:
| option | explanation |
| — | — |
| –one-level | one-level copy |
| –overwrite | existing values |
| –keep-going | as much as possible, even after an error |
| –key-id ID | to use for parameter values in the destination |
| –clear-key-id | clear the KMS key id associated with the parameter |
Conclusion
The aws-ssm-copy utility provides an easy way to copy AWS SSM parameters between regions and accounts. Checkout the source code on github and use with care!
Image by Astrid Schmid from Pixabay