How to copy AWS SSM Parameters from one account to another

Hiring

We are Binx. We make every organization cloud-native.

Two years ago, I created a utility to copy AWS SSM parameters from one account to another. I published the utility to pypi.org, without writing a blog about it. As I found out that quite a number of people are using the utility, I decided to unveil it in this blog.

I never dared to publish the existence of this utility, as it goes against my principles of infrastructure as code
and immutable infrastructure. After two years, I am finally ready to admit I wrote it.

a word of caution

Before we continue, note that this utility is dangerous in two ways:

  1. you can overwrite existing parameter values
  2. it allows people to exfiltrate your parameters in no time.

To counter the first, you have to explicit request to overwrite existing values. There is nothing
to counter the second, except for creating proper access policies. I found peace in the fact that you can extract all the secrets using the following standard AWS CLI command too:

aws ssm get-parameters-by-path --path / --with-decryption > all-the-secrets.json

So here it is!

installing the utility

To install the utility, type:

pip install aws-ssm-copy

What does it do?

The utility allows you to:

  1. copy parameters in a parameter store to another account
  2. copy parameters in the parameter store to another region in the same account

You can:

  1. select individual parameters
  2. recurse down a path
  3. change the target path

Below you will find a couple of examples:

copying parameters to another region

To copy all parameters to another region, type:

aws-ssm-copy \
   --dry-run \
   --source-region eu-central-1 \
   --region eu-west-1 \
   --recursive / 

Remove the --dry-run to actually perform the copy.

copying parameters to another account

To copy all parameters from one account to another account, type:

aws-ssm-copy \
   --dry-run \
   --source-profile binx-io \
   --recursive /

Remove the --dry-run to actually perform the copy.

copying parameters to another path

To copy all parameters to another path, type:

aws-ssm-copy \
   --dry-run \
   --target-path /old-dev \
   --recursive /dev 

Remove the --dry-run to actually perform the copy.

other options

The other available command line options are:

option explanation
–one-level one-level copy
–overwrite existing values
–keep-going as much as possible, even after an error
–key-id ID to use for parameter values in the destination
–clear-key-id clear the KMS key id associated with the parameter

Conclusion

The aws-ssm-copy utility provides an easy way to copy AWS SSM parameters between regions and accounts. Checkout the source code on github and use with care!

Image by Astrid Schmid from Pixabay

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn