How to use AWS Parameters and Secrets Lambda Extension

hayao_k's photo
·Oct 19, 2022·

3 min read

Subscribe to my newsletter and never miss my upcoming articles

What is AWS Parameters and Secrets Lambda Extension?

This extension can be used to retrieve parameters from the AWS Systems Manager Parameter Store and secrets from the AWS Secrets Manager.

What makes you happy?

Until now, parameters and secrets were obtained in the Lambda function process using the AWS SDK or other means.

With this extension, these values can be cached and reused during the lifecycle of a Lambda function. This reduces the latency and cost of retrieving parameters and secrets.

Basic usage

Please refer to each documents for details.

Set Layer of the extension to Lambda function

Lambda Extension is made available by configuring Lambda Layers. In Managed Console, AWS Parameters and Secrets Lambda Extension could be selected in the AWS layer.

image.png mage.png

When configuring from the CLI or other means, specify the ARN of the published Layer. A list of ARNs for each region is provided in the documentation.

Write HTTP GET code in the function

Using this Extension eliminates processing in the AWS SDK, but the code to retrieve the value with an HTTP GET request is still required. See the second half of this post for the sample code.

Change IAM policy for execution role

The extension uses the credentials of the IAM role used to execute the Lambda function itself. Therefore, an appropriate IAM policy must be set up to retrieve parameters and secrets. For example, for the Parameter Store, ssm:GetParameter and kms:Decrypt (when using SecureString) are required.

(Optional) Set environment variables for functions

TTL for the cache, log level, etc., can be controlled by setting environment variables for the Lambda function.

Sample Code

This is an example of referencing Amazon Linux 2 AMI public parameters.

Notes are as follows.

  • / in the parameter name must be encoded
  • The extension's local HTTP server port starts at default 2773
    • It can be changed via the environment variable PARAMETERS_SECRETS_EXTENSION_HTTP_PORT
  • Header 'X-Aws-Parameters-Secrets-Token' with AWS_SESSION_TOKEN environment variable must be added
    • If not specified, it will be 401 unauthorized.
const https = require('http');

exports.handler = function(event, context, callback) {

    const options = {
        hostname: 'localhost',
        port: 2773,
        path: '/systemsmanager/parameters/get/?name=%2Faws%2Fservice%2Fami-amazon-linux-latest%2Famzn-ami-hvm-x86_64-gp2',
        headers: {
            'X-Aws-Parameters-Secrets-Token': process.env.AWS_SESSION_TOKEN
        method: 'GET'

    const req = https.request(options, res => {
        res.on('data', d => {
            console.log("Response from cache: "+d);
            return d;

    req.on('error', error => {


The log of the execution result looks like this You got the parameter values!

[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL is not present. Log level set to info.
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Systems Manager Parameter Store and Secrets Manager Lambda Extension 1.0.94
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Serving on port 2773
EXTENSION    Name: AWSParametersAndSecretsLambdaExtension    State: Ready    Events: [INVOKE,SHUTDOWN]
START RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx Version: $LATEST
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO ready to serve traffic
2022-10-19T06:51:09.247Z    bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx    INFO    Response from cache: {"Parameter":{"ARN":"arn:aws:ssm:ap-northeast-1::parameter/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","DataType":"text","LastModifiedDate":"2022-10-04T17:56:51.889Z","Name":"/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","Selector":null,"SourceResult":null,"Type":"String","Value":"ami-0fb16641312307fa9","Version":49},"ResultMetadata":{}}
END RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx
REPORT RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx    Duration: 796.05 ms    Billed Duration: 797 ms    Memory Size: 128 MB    Max Memory Used: 76 MB    Init Duration: 324.74 ms

I hope this will be of help to someone else.

Share this