Extension Review: AWS SSM Lambda
After writing my most recent article about how AWS Lambda APIs work I thought it would be cool to do a deep dive into some interesting lambda extensions I have found.
So first up I wanted to take a look at an extension published by AWS that allows you you fetch and cache SSM parameters on your lambda function.
Here is a quick video of me trying out this extension 👇 Code will be provided at the end of the article
TL;DR
This extension works across languages and is easy enough to use you might as well get caching for free. It may have a few missing features but you can easily look past them for now.
Configuration
Setting up this extension is very simple. You basically just add the layer, set the permissions and your function is all set to start caching those SSM parameters.
Things to look out for
- Add the layer using the correct region. Keep in mind the account id on the published layer also changes for each region.
- Set the two required permissions
ssm:GetParameterandkms:Decrypt - Be sure you set an appropriate time to live on the cache so you don’t get stuck with invalid parameters for too long
SSM_PARAMETER_STORE_TTL - Make sure to set the required header when making requests to the extension so the extension can make requests to SSM on your behalf.
X-Aws-Parameters-Secrets-Tokenshould be set to theAWS_SESSION_TOKENenvironment variable.
Opinion
This is a pretty nifty language agnostic way to fetch SSM parameters inside of a lambda function more efficiently. However, I think there are a few things they could do to make it a bit easier to work with.
There should be an endpoint or param to let you auto expire a cached param
You would have to write your own fallback logic which kind of sucks. Seems like it wouldn’t take much effort for them to just include a cache clear variable or something.
The docs are not great
This is something that seems to plague AWS quite a bit. I am talking to you aws sdk v3 docs. 🙄 They really need to be more clear about the endpoints and the options available.
The public layer should be published to the same account for all regions
This is a pretty nit picky complaint. But in terms of CI, it is kind of annoying since your would need to keep a map of the region to account id. Seems like a simple ask to not change the account id per region.
Should you use this extension?
Yeah why not? It that much harder to use then a typical SDK method and you get caching for free. I hope they continue improving this extension but I guess time will tell.
Code from the video 👇
If you would like the demo app I created in the video above you can check out the code here 😎
