update README

aws · Jul 2, 2024 · 8bd1129 · 8bd1129
1 parent a825d7e
commit 8bd1129
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/packages/aws-cdk-lib/aws-ssm/README.md b/packages/aws-cdk-lib/aws-ssm/README.md
@@ -99,6 +99,43 @@ const arnLookup = ssm.StringParameter.valueFromLookup(this, '/my/role/arn');
 iam.Role.fromRoleArn(this, 'role', Lazy.string({ produce: () => arnLookup }));
 ```
 
+### cross-account SSM Parameters sharing
+
+AWS Systems Manager (SSM) Parameter Store supports cross-account sharing of parameters using the AWS Resource Access Manager (AWS RAM)
+service. In a multi-account environment, this feature enables accounts (referred to as "consuming accounts") to access and retrieve
+parameter values that are shared by other accounts (referred to as "sharing accounts"). To reference and use a shared SSM parameter
+in a consuming account, the `fromStringParameterArn()` method can be employed.
+
+The `fromStringParameterArn()` method provides a way for consuming accounts to create an instance of the StringParameter
+class from the Amazon Resource Name (ARN) of a shared SSM parameter. This allows the consuming account to retrieve and utilize the
+parameter value, even though the parameter itself is owned and managed by a different sharing account.
+
+```ts
+const sharingParameterArn = 'arn:aws:ssm:us-east-1:1234567890:parameter/dummyName';
+const sharedParam = ssm.StringParameter.fromStringParameterArn(this, 'SharedParam', sharingParameterArn);
+new cdk.CfnOutput(this, 'SharedParamValue', { value: sharedParam.stringValue });
+```
+
+Things to note:
+
+- The account that owns the AWS Systems Manager (SSM) parameter and wants to share it with other accounts (referred to as the "sharing account") must create the parameter in the advanced tier. This is a prerequisite for sharing SSM parameters across accounts.
+
+- After creating the parameter in the advanced tier, the sharing account needs to set up a resource share using AWS Resource Access Manager (RAM). This resource share will specify the SSM parameter(s) to be shared and the accounts (referred to as "consuming accounts") with which the parameter(s) should be shared.
+
+- Once the resource share is created by the sharing account, the consuming account(s) will receive an invitation to join the resource share. For the consuming account(s) to access and use the shared SSM parameter(s), they must accept the resource share invitation from the sharing account.
+
+In summary, the process involves three main steps:
+
+1. The sharing account creates the SSM parameter(s) in the advanced tier.
+
+2. The sharing account creates a resource share using AWS RAM, specifying the SSM parameter(s) and the consuming account(s).
+
+3. The consuming account(s) accept the resource share invitation to gain access to the shared SSM parameter(s).
+
+This cross-account sharing mechanism allows for centralized management and distribution of configuration data (stored as SSM parameters) across multiple AWS accounts within an organization or between different organizations.
+
+Read [Working with shared parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html) for more details.
+
 ## Creating new SSM Parameters in your CDK app
 
 You can create either `ssm.StringParameter` or `ssm.StringListParameter`s in