# How to copy AWS SSM Parameters from one account to another

on
dec 21, 2020
in

Two years ago, I created a utility to copy AWS SSM parameters from one account to another. I published the utility to pypi.org, without writing a blog about it. As I found out that quite a number of people are using the utility, I decided to unveil it in this blog.
I never dared to publish the existence of this utility, as it goes against my principles of infrastructure as code
and immutable infrastructure. After two years, I am finally ready to admit I wrote it.

## a word of caution

Before we continue, note that this utility is dangerous in two ways:

1. you can overwrite existing parameter values
2. it allows people to exfiltrate your parameters in no time.
To counter the first, you have to explicit request to overwrite existing values. There is nothing
to counter the second, except for creating proper access policies. I found peace in the fact that you can extract all the secrets using the following standard AWS CLI command too:
aws ssm get-parameters-by-path --path / --with-decryption > all-the-secrets.json


So here it is!

## installing the utility

To install the utility, type:

pip install aws-ssm-copy


## What does it do?

The utility allows you to:

1. copy parameters in a parameter store to another account
2. copy parameters in the parameter store to another region in the same account
You can:

3. select individual parameters

4. recurse down a path
5. change the target path
Below you will find a couple of examples:

## copying parameters to another region

To copy all parameters to another region, type:

aws-ssm-copy \
--dry-run \
--source-region eu-central-1 \
--region eu-west-1 \
--recursive /


Remove the --dry-run to actually perform the copy.

## copying parameters to another account

To copy all parameters from one account to another account, type:

aws-ssm-copy \
--dry-run \
--source-profile binx-io \
--recursive /


Remove the --dry-run to actually perform the copy.

## copying parameters to another path

To copy all parameters to another path, type:

aws-ssm-copy \
--dry-run \
--target-path /old-dev \
--recursive /dev


Remove the --dry-run to actually perform the copy.

## other options

The other available command line options are:
| option | explanation |
| — | — |
| –one-level | one-level copy |
| –overwrite | existing values |
| –keep-going | as much as possible, even after an error |
| –key-id ID | to use for parameter values in the destination |
| –clear-key-id | clear the KMS key id associated with the parameter |

## Conclusion

The aws-ssm-copy utility provides an easy way to copy AWS SSM parameters between regions and accounts. Checkout the source code on github and use with care!
Image by Astrid Schmid from Pixabay

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.