AWS Parameters and Secrets Lambda Extension does not work with parameter ARN's

0

The AWS documentation for the Parameters and Secrets Lambda Extension states:

To make a call using the Amazon Resource Name (ARN) for a parameter, make an HTTP GET call similar to the following.

GET http://localhost:port/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-1:123456789012:parameter/MyParameter

however these requests return a 400 stating the parameter name is invalid.

Here's a quick example to demonstrate the successful request using the parameter name, and the failed request using the parameter ARN:

import json
import os

from botocore.vendored import requests


def lambda_handler(event, context):
    name_url = 'http://localhost:2773/systemsmanager/parameters/get?name=test-param'
    arn_url = 'http://localhost:2773/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-2:{ACCOUNT_ID}:parameter/test-param'
    headers = {'X-Aws-Parameters-Secrets-Token': os.environ['AWS_SESSION_TOKEN']}
    
    name_resp = requests.get(name_url, headers=headers)
    print(f'NAME RESPONSE: {name_resp.status_code} > {name_resp.text}')
    
    arn_resp = requests.get(arn_url, headers=headers)
    print(f'ARN RESPONSE: {arn_resp.status_code} > {arn_resp.text}')

and the output:

NAME RESPONSE: 200 > {"Parameter":{"ARN":"arn:aws:ssm:us-east-2:{ACCOUNT_ID}:parameter/test-param","DataType":"text","LastModifiedDate":"2022-11-26T02:25:14.669Z","Name":"test-param","Selector":null,"SourceResult":null,"Type":"SecureString","Value":"AQICAH....=","Version":2},"ResultMetadata":{}}

ARN RESPONSE: 400 > an unexpected error occurred while executing request
[AWS Parameters and Secrets Lambda Extension] 2022/11/26 18:09:36 ERROR GetParameter request encountered an error: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: {REQUEST_ID}, api error ValidationException: Invalid parameter name. Please use correct syntax for referencing a version/label  <name>:<version/label>

The docs also state:

When using GET calls, parameter values must be encoded for HTTP to preserve special characters.

however the error still occurs whether the ARN colons and/or slash are URL-encoded or not like so:

http://localhost:2773/systemsmanager/parameters/get?name=arn%3Aaws%3Assm%3Aus-east-2%3A{ACCOUNT_ID}%3Aparameter/test-param
http://localhost:2773/systemsmanager/parameters/get?name=arn%3Aaws%3Assm%3Aus-east-2%3A{ACCOUNT_ID}%3Aparameter%2Ftest-param

Am I missing something here or is the documentation incorrect in that an ARN can be used for these requests?

andy
asked a year ago245 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions