The AWS documentation for the Parameters and Secrets Lambda Extension states:
To make a call using the Amazon Resource Name (ARN) for a parameter, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-1:123456789012:parameter/MyParameter
however these requests return a 400 stating the parameter name is invalid.
Here's a quick example to demonstrate the successful request using the parameter name, and the failed request using the parameter ARN:
import json
import os
from botocore.vendored import requests
def lambda_handler(event, context):
name_url = 'http://localhost:2773/systemsmanager/parameters/get?name=test-param'
arn_url = 'http://localhost:2773/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-2:{ACCOUNT_ID}:parameter/test-param'
headers = {'X-Aws-Parameters-Secrets-Token': os.environ['AWS_SESSION_TOKEN']}
name_resp = requests.get(name_url, headers=headers)
print(f'NAME RESPONSE: {name_resp.status_code} > {name_resp.text}')
arn_resp = requests.get(arn_url, headers=headers)
print(f'ARN RESPONSE: {arn_resp.status_code} > {arn_resp.text}')
and the output:
NAME RESPONSE: 200 > {"Parameter":{"ARN":"arn:aws:ssm:us-east-2:{ACCOUNT_ID}:parameter/test-param","DataType":"text","LastModifiedDate":"2022-11-26T02:25:14.669Z","Name":"test-param","Selector":null,"SourceResult":null,"Type":"SecureString","Value":"AQICAH....=","Version":2},"ResultMetadata":{}}
ARN RESPONSE: 400 > an unexpected error occurred while executing request
[AWS Parameters and Secrets Lambda Extension] 2022/11/26 18:09:36 ERROR GetParameter request encountered an error: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: {REQUEST_ID}, api error ValidationException: Invalid parameter name. Please use correct syntax for referencing a version/label <name>:<version/label>
The docs also state:
When using GET calls, parameter values must be encoded for HTTP to preserve special characters.
however the error still occurs whether the ARN colons and/or slash are URL-encoded or not like so:
http://localhost:2773/systemsmanager/parameters/get?name=arn%3Aaws%3Assm%3Aus-east-2%3A{ACCOUNT_ID}%3Aparameter/test-param
http://localhost:2773/systemsmanager/parameters/get?name=arn%3Aaws%3Assm%3Aus-east-2%3A{ACCOUNT_ID}%3Aparameter%2Ftest-param
Am I missing something here or is the documentation incorrect in that an ARN can be used for these requests?