Skip to content
/ aws-ssm-parameters-migration Public

Migrate multiple SSM parameters(encrypted and non encrypted) between AWS accounts

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mrexhepi/aws-ssm-parameters-migration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
script.js
script.js
 
 

Repository files navigation

Project Description

This mini-project will help to quickly migrate a numerous AWS SSM parameters from an AWS account to another AWS account.
This is designed to retrieve parameters from the AWS SSM Parameter Store and save them to a JSON file.
Then, it uploads those parameters to a new AWS account using AWS SDK for Node.js.
The script defines two sets of AWS credentials and region - one for the source account and another for the target account.
The scenario, was thought of using default AWS managed KMS keys for SSM encryption , alias/aws/ssm.

How to Use

Ensure that you have Node.js installed on your local machine.
Install NPM dependecies: 

 npm install

Update the AWS_SSM_SOURCE_REGION , AWS_SOURCE_ACCESS_KEY , AWS_SOURCE_SECRET_KEY and values in the .env file,copy file out of .env.example with the credentials of AWS account that SSM parameters lives in.
And Update the AWS_SSM_TARGET_REGION , AWS_TARGET_ACCESS_KEY and AWS_TARGET_SECRET_KEY values in the .env file,copy file out of .env.example with valid AWS credentials for your destination account.
Modify the SOURCE_SSM_PARAMETER_PATH under .env to specify the parameter path you want to retrieve parameters from.
Run the script using :

node script.js

or

npm run start

The script will retrieve parameters from the source account, save them to a JSON file, and upload the parameters to the destination account.
The JSON file will be saved in the current working directory with the name parameters.json.
Example: A parameter under path `/api/dev` saved in parameters.json file will look as below: 

 {
   "Name": "/api/dev/token",
   "Value": "uQg5Y7vZ9?R9buU3blBxHR",
   "Type": "SecureString",
   "KeyId": null,
   "Encrypted": true
 }

Please keep in mind to use least privilege approach on creating AWS keys for this project usage

The only AWS IAM permissions you need is AWS SSM limited to the actions:(GetParametersByPath,PutParameter,Encrypt,Decrypt)


Policy to be applied on the AWS users for both source and target AWS accounts: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": "ARN of you AWS managed KMS -> aws/ssm"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter", ## Put parameter - This can be deleted at the source aws account permission,as we don't have to add any parameter in there
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "*"
        }
    ]
}

About

Migrate multiple SSM parameters(encrypted and non encrypted) between AWS accounts

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

v1.0.1 Latest
Mar 16, 2023

Packages

No packages published

Languages