How to copy AWS SSM Parameters from one account to another

Training Tasters: One Week of Free Data, AI, and Cloud Training

Join us in the week of 18 – 22 January for five different training tasters: Python, Analytics Translation, AWS Architecting, Google Cloud Run.

Cloud Migration Scenarios

Four scenarios to migrate to AWS – from infrastructure to ML

Two years ago, I created a utility to copy AWS SSM parameters from one account to another. I published the utility to pypi.org, without writing a blog about it. As I found out that quite a number of people are using the utility, I decided to unveil it in this blog.

I never dared to publish the existence of this utility, as it goes against my principles of infrastructure as code
and immutable infrastructure. After two years, I am finally ready to admit I wrote it.

a word of caution

Before we continue, note that this utility is dangerous in two ways:

  1. you can overwrite existing parameter values
  2. it allows people to exfiltrate your parameters in no time.

To counter the first, you have to explicit request to overwrite existing values. There is nothing
to counter the second, except for creating proper access policies. I found peace in the fact that you can extract all the secrets using the following standard AWS CLI command too:

aws ssm get-parameters-by-path --path / --with-decryption > all-the-secrets.json

So here it is!

installing the utility

To install the utility, type:

pip install aws-ssm-copy

What does it do?

The utility allows you to:

  1. copy parameters in a parameter store to another account
  2. copy parameters in the parameter store to another region in the same account

You can:

  1. select individual parameters
  2. recurse down a path
  3. change the target path

Below you will find a couple of examples:

copying parameters to another region

To copy all parameters to another region, type:

aws-ssm-copy \
   --dry-run \
   --source-region eu-central-1 \
   --region eu-west-1 \
   --recursive / 

Remove the --dry-run to actually perform the copy.

copying parameters to another account

To copy all parameters from one account to another account, type:

aws-ssm-copy \
   --dry-run \
   --source-profile binx-io \
   --recursive /

Remove the --dry-run to actually perform the copy.

copying parameters to another path

To copy all parameters to another path, type:

aws-ssm-copy \
   --dry-run \
   --target-path /old-dev \
   --recursive /dev 

Remove the --dry-run to actually perform the copy.

other options

The other available command line options are:

optionexplanation
–one-levelone-level copy
–overwriteexisting values
–keep-goingas much as possible, even after an error
–key-id IDto use for parameter values in the destination
–clear-key-idclear the KMS key id associated with the parameter

Conclusion

The aws-ssm-copy utility provides an easy way to copy AWS SSM parameters between regions and accounts. Checkout the source code on github and use with care!

Image by Astrid Schmid from Pixabay

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn