ambsw-technology
commented
5 years ago OK. The documentation for the get_parameters() call includes the ability to filter on Type. So it should be possible to exclude the SecureString from the list of types (i.e. 'String'|'StringList'|'SecureString') when making the request.
Unless absolutely necessary, I'd rather not put decrypted secrets on a local machine. SSM also logs access to secrets so I'd rather not leave an unnecessary trail of secrets logs. I can think of two ways to handle this:
Both could make sense, but the second option solves both problems (on-disk and audit logs). I think it should be an ENV variable (vs. a flag) so you don't accidentally delete the encrypted params if you forget to include the flag when you apply.