Home > Enterprise >  Creating AWS SSM client with credentials
Creating AWS SSM client with credentials

Time:12-27

I'm trying to create a SSMClient in JavaScript/TypeScript. I've found a ton of examples but nothing seems to work. I'm trying to get a value from the SSM parameter store. Here is my latest:

    const stsClient = new STSClient({ region: REGION });

    const params = {
      RoleArn: "arn:aws:iam::425112775363:policy/SSMFullAccessCognito",
      RoleSessionName: "session1",
      DurationSeconds: 900,
    };


    //Assume Role
    const data = await stsClient.send(new AssumeRoleCommand(params));
    const rolecreds = {
      accessKeyId: data.Credentials!.AccessKeyId,
      secretAccessKey: data.Credentials!.SecretAccessKey,
      sessionToken: data.Credentials!.SessionToken,
    };

    const ssmClient = new SSMClient({ region: REGION  });

    console.info(ssmClient);
    
    const cmd = new GetParameterCommand({ Name: 'test', WithDecryption: false });

    const result = await ssmClient.send(cmd);

    console.info(result);

With the above it says creds are missing, which they are. I just can't anywhere to convert "rolecreds" to Somethng SSM wants. I can assume the role fine and I get back valid creds.

I've found 100 different ways from multiple sources but nothing works. I'm running AWSv3.

CodePudding user response:

You don't seem to actually using roleCreds. If you look at the documentation for SSMClient, you'll see that it takes an optional credential object which you need to use in your situation: (https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-ssm/interfaces/ssmclientconfig.html#credentials)

CodePudding user response:

Assuming the SSMFullAccessCognito role has the correct permissions to access the required SSM parameter, what you have to do is to pass the rolecreds object to the SSMClient. You can do the following:

const data = await stsClient.send(new AssumeRoleCommand(params));
const rolecreds = {
    accessKeyId: data.Credentials.AccessKeyId,
    secretAccessKey: data.Credentials.SecretAccessKey,
    sessionToken: data.Credentials.SessionToken,
    expiration: data.Credentials.Expiration
};

const ssmClient = new SSMClient({ region: REGION, credentials: rolecreds });
  • Related