Currently, referencing SecureString SSM Parameter Store values can only be done with a subset of resources. This is problematic when attempting to use these values to define runtime environment variables for an AppRunner Service. Without this support, sensitive values have to be either (A) stored in Parameter Store as plaintext Strings (suboptimal), or (B) those values must be resolved at synth-time, and the plaintext value is then exposed in the CloudFormation template (also not ideal).
While this issue specifically requests support for AppRunner Service environment variables, I'm sure this same issue plagues users looking to deploy sensitive values as environment variables to AWS Lambda et. al.
TIA!
Other Details
Current result:
SSM Secure reference is not supported in: [AWS::AppRunner::Service/Properties/SourceConfiguration/ImageRepository/ImageConfiguration/RuntimeEnvironmentVariables]
PatMyron
commented
2 years ago
Name of the resource
AWS::AppRunner::Service
Resource name
No response
Description
Currently, referencing
SecureStringSSM Parameter Store values can only be done with a subset of resources. This is problematic when attempting to use these values to define runtime environment variables for an AppRunner Service. Without this support, sensitive values have to be either (A) stored in Parameter Store as plaintext Strings (suboptimal), or (B) those values must be resolved at synth-time, and the plaintext value is then exposed in the CloudFormation template (also not ideal).While this issue specifically requests support for AppRunner Service environment variables, I'm sure this same issue plagues users looking to deploy sensitive values as environment variables to AWS Lambda et. al.
TIA!
Other Details
Current result: