100 - Read information from SSM Parameter Store (NodeJS)

In this lab you will experiment AWS Lambda.

This is an introductory (100 level) lab to help you to explore AWS Lambda.

In this lab you will:

  1. Create a NodeJS Lambda function which is going to read information from AWS Systems Manager Parameter Store.

Prerequisites

You need:

  • an IAM user with proper permissions to create AWS Lambda, SSM, and IAM resources.

Context

In this lab you will experiment creating a simple Lambda Function that will consume data from Simple Systems Manager.

This lambda function will consume the configuration for a system, stored on the SSM’s Parameter Store. We are considering that all parameters for a certain system will have the form /systems/<systemName>/config, where <systemName> is, obvioulsy, the name of the system to which we want to retrieve the configuration.

If you are sharing the same account and region with other people, select and add a prefix to the name of the resources that we are going to create. For example, if your name is John Doe, you can use jd. You are going to replace the <prefix> string in the examples with the prefix that you have selected .

If you are running this lab alone, just disregard the <prefix> string.


Task: Creating the parameters for your hypothetical system

  1. Visit the Systems Manager page on your AWS console.
  2. At the menu on the left, select Parameter Store.
  3. Click on Create parameter.
  4. For Name, input what is shown below (replace <prefix> as previously instructed)
/systems/<prefix>system01/config
  1. You use Description to provide an informative description about the purpose of this parameter.
  2. For Tier, select Standard. We are willing to run under free tier.
  3. Type is String for our case.
  4. Data Type is text.
  5. For Value, input the following JSON, as an example:
{
  "url" : "https://www.amazon.com"
}
  1. Click on Create parameter.

Task: Creating your Lambda function

  1. Visit the AWS Lambda page on the AWS Console.

  2. Click on the button Create function.

  3. Select Author from scratch.

  4. Under the section Basic information:

    1. For Function Name, input <prefix>SystemConfig
    2. For Runtime, select the latest version for Node.js
    3. For Permissions, we need to give permissions to our Lambda function to access Systems Manager.
      1. Click on Change default execution role. This will unfold a section where we will be able to trigger the creation of the role for this Lambda function.
      2. Leave the option Create a new role with basic Lambda permissions selected. See that below on that section there is a reference about the role that will be created, which starts exactly with the function name. Take note of this role.
    4. Click on Create function. The Lambda Designed and Function code sections will show up.
  5. Edit the code to include the line console.log(event), like below:

exports.handler = async (event) => {
       // The following line records the received event at the function's logs on CloudWatch Logs
        console.log(event);
        const response = {
              statusCode: 200,
              body: JSON.stringify('Hello from Lambda!'),
          };
	return response;
};
  1. Click on Deploy.
  2. To check that everything went well, lets do a small test:
    1. Click on the drop down button labeled as Select a test event (It’s at the top, at the left hand side of the Test button), and select Configure test events.
    2. Configure the event like shown below
    3. Click on the Create button
    4. On the top, click on Test
    5. If everything went well, at the top of the page a message Execution result: succeeded (logs) will appear.
    6. Click on the link labeled as logs. It will take you to CloudWatch Logs, where you will be able to check that the receiving event was properly registered in the function’s logs.

Task: Adjusting the permissions for your Lambda function

We want to make this Lambda function to consume information from SSM. For that, we need to change the role attached to the Lambda function, and include on it the proper policy.

Let’s add an inline policy that will grant our Lambda permissions to consume to Systems Manager.

  1. Go to the IAM Console.

  2. Click on Roles.

  3. Search for the role that was created when we created the Lambda function. The role name starts with <prefix>SystemConfig. You can also check the name of the role at the section Execution role on the Lambda function configuration page. If the role does not appear, click on the refresh button.

  4. Click on Add inline policy. The window to create the policy will show up.

  5. For Service, select Systems Manager.

  6. For Actions, choose GetParameter.

  7. For Resources, click on Add ARN.

    1. For region, include the region where you are working on (example: eu-west-2).
    2. For account, input your account Id.You can get your account id by visiting the option My Account at your AWS console.
    3. For Fully qualified parameter name, enter systems/*/config. This means that you will be able to retrieve the configuration for all systems. Suppose we are retrieving the config for a system named “ticketing”, then the parameter will be systems/ticketing/config.
    4. Click on Add.
  8. Click on Review Policy. Give an informative name for the policy, like SystemsManagerPermissions.

  9. Click on Create Policy.

Now our lambda function is able to call SSM. Let’s update the code.


Task: Adjusting your Lambda function code - Calling SSM

Get back to your Lambda function and replace the code for your Lambda code with the following code:

const AWS = require('aws-sdk');
const SSM = new AWS.SSM();

exports.handler = async (event) => {
    // logging the received event
    console.log(event);
    var responseFromSSM = null;
    var result = null;
    if (!event.Name) 
            // event does not have the proper format
            result = {
                "statusCode" : 400,
                "body" : "Invalid parameter"
            };
    else
        try {
            // parameter expected by SSM.getParameter
            var parameter = {
                "Name" : "/systems/"+event.Name+"/config"
            };
            responseFromSSM = await SSM.getParameter(parameter).promise();
            console.log('SUCCESS');
            console.log(responseFromSSM);
            var value = responseFromSSM.Parameter.Value;   
            result = {
                "statusCode" : 200,
                "body" : value
            };
        } catch(err) {
            console.log('ERROR');
            console.log(err);
            if (err.StatusCode)
                    result = {
                        "statusCode" : err.StatusCode,
                        "body" : err.code
                    };
            else 
                    result = {
                        "statusCode" : 500,
                        "body" : err.code
                    };
        }
    return result;
};

Click on Deploy to post the update.

To test the code, you can create more Test Events, as specified before. You can also create new parameters on Systems Manager if you want.

Check the logs after each test.


Finishing the lab

You have finished the lab.

Clear your account by:

  1. Deleting the Lambda function.
  2. Deleting the role associated to the Lambda function.
  3. Deleting the parameters that you have created from Systems Manager.

Lab Author: Fabian Da Silva