Script to Copy SSM Parameters between AWS Accounts

Are you tired of manually copying AWS Systems Manager (SSM) parameters between accounts? Do you need to replicate configurations across environments or share secrets securely with other teams? If so, you’re in the right place! Lets learn how to Copy SSM Parameters between AWS accounts.

Copy SSM Parameters
AWS Parameter Store Icon

In this guide, we’ll show you how to automate the process of copying SSM parameters between AWS accounts using a simple and efficient script. Say goodbye to tedious manual work and embrace the power of automation!

Why Automate Copy SSM Parameters?

Manually copying SSM parameters is not only time-consuming but also error-prone. As your AWS infrastructure grows, managing these parameters becomes increasingly challenging. Here’s why you should automate:

  • Save Time: A script can copy hundreds or even thousands of parameters in minutes, freeing up your valuable time for other tasks.
  • Ensure Accuracy: Eliminate the risk of human error when copying sensitive parameters.
  • Maintain Consistency: Easily replicate configurations across development, staging, and production environments.
  • Enhance Security: Control access and permissions with fine-grained IAM policies.

Prerequisites for Copy SSM Parameters

Before we dive into the script, ensure you have the following:

  • AWS CLI: The AWS Command Line Interface is installed and configured on your machine. Follow this Amazon procedure to install CLI
  • IAM Roles: Appropriate IAM roles with permissions to read and write SSM parameters in both the source and destination AWS accounts.

Here is an example policy for the required IAM Roles

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "kms:Decrypt" 
            ],
            "Resource": "*"
        }
    ]
}

Step 1 – Create a Script File and Add Code

Using your favorite text editor, create a file called param.sh

Bash
nano param.sh

Now copy this script, save, and exit. I have called my file param.sh

This script will copy individual parameters between accounts

Bash
#!/usr/bin/env bash

FROM_PROFILE=$1
FROM_PARAMETER=$2
FROM_REGION=$3

TO_PROFILE=$4
TO_PARAMETER=$5
TO_REGION=$6

OLD_VALUE=$(aws --region "${FROM_REGION}" --profile "${FROM_PROFILE}" ssm get-parameter --name "${FROM_PARAMETER}" --with-decryption --query Parameter.Value --output text )

aws --profile "${TO_PROFILE}" --region "${TO_REGION}" ssm put-parameter \
    --name "${TO_PARAMETER}" \
    --value "${OLD_VALUE}" \
    --type "SecureString" \
    --tags "Key=DeployedUsing,Value=AWSCLI"

This script will copy EVERY parameter between accounts

Bash
#!/usr/bin/env bash

# Function to handle individual parameter copy
copy_parameter() {
    local from_profile=$1
    local from_parameter=$2
    local from_region=$3

    local to_profile=$4
    local to_parameter=$5
    local to_region=$6

    OLD_VALUE=$(aws --region "${from_region}" --profile "${from_profile}" ssm get-parameter --name "${from_parameter}" --with-decryption --query Parameter.Value --output text )

    aws --profile "${to_profile}" --region "${to_region}" ssm put-parameter \
        --name "${to_parameter}" \
        --value "${OLD_VALUE}" \
        --type "SecureString" \
        --tags "Key=DeployedUsing,Value=AWSCLI"
}

# Get required parameters from command line arguments
FROM_PROFILE=$1
FROM_REGION=$2
TO_PROFILE=$3
TO_REGION=$4

# Fetch all parameter names from the source account
PARAMETERS=$(aws --region "${FROM_REGION}" --profile "${FROM_PROFILE}" ssm describe-parameters --query "Parameters[*].Name" --output text)

# Iterate over each parameter and copy it
for parameter in $PARAMETERS; do
    copy_parameter "${FROM_PROFILE}" "${parameter}" "${FROM_REGION}" "${TO_PROFILE}" "${parameter}" "${TO_REGION}"
done

Step 2 – Amend Copy SSM Parameters Script Permissions

Change the script permissions to allow local execution.

Bash
chmod 660 param.sh

Step 3 – Execute the Script

Make sure you amend customize this script with:

  • MyProfile = set as your AWS profile (run aws configure sso)
  • 12345678 = set to your AWS account for the source and target
  • AWS-REGION – Also check the region for your account

Bash
aws sso login --sso-session my-profile
./param.sh 12345678 -admin /old/parameter eu-west-1 12345678 -admin /new/parameter eu-west-2

Streamlining SSM Parameter Management with Automation

Congratulations! You’ve now unlocked a powerful tool for managing AWS Systems Manager (SSM) parameters across accounts. By automating the migration process, you can drastically reduce manual effort, minimize errors, and ensure configuration consistency across your AWS environments.

Remember, this is just the starting point. You can customize and extend this script to fit your specific needs. Explore additional features like filtering parameters, managing complex hierarchies, or integrating with other tools in your DevOps workflow.

By embracing automation and leveraging AWS’s flexibility, you empower your team to focus on innovation and building amazing applications instead of getting bogged down by repetitive manual tasks. So go ahead and take control of your SSM parameters—the possibilities are endless!

Additional Tips:

  • Version Control: Store your scripts in a version control system (like Git) to track changes and collaborate with your team effectively.
  • Error Handling: Implement robust error handling to catch any issues during parameter copying and provide informative logging for easier troubleshooting.
  • Security Best Practices: Always follow AWS security best practices, such as using strong encryption for sensitive parameters and implementing least privilege access control.
  • Explore Further: AWS offers a wide range of tools and services to enhance your automation journey. Consider exploring AWS CloudFormation, AWS CodePipeline, or other DevOps tools to streamline your workflows even further.

Want to learn some more Tech Quickys? Check out other cool scripts here.

Thanks for taking the time to read this article. if you have any questions or feedback, please write in the comment section below.

Elsewhere On TurboGeek:  How to Decommission an AWS Control Tower Landing Zone

Richard.Bailey

Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »