Open ambsw-technology opened 5 years ago
OK. The documentation for the get_parameters()
call includes the ability to filter on Type
. So it should be possible to exclude the SecureString
from the list of types (i.e. 'String'|'StringList'|'SecureString'
) when making the request.
Unless absolutely necessary, I'd rather not put decrypted secrets on a local machine. SSM also logs access to secrets so I'd rather not leave an unnecessary trail of secrets logs. I can think of two ways to handle this:
Both could make sense, but the second option solves both problems (on-disk and audit logs). I think it should be an ENV variable (vs. a flag) so you don't accidentally delete the encrypted params if you forget to include the flag when you apply.