ssmenv-go

ssmenv provides a way to replace environment variables with AWS Systems Manager Parameter Store values.

If the value of an environment variable begins with ssm://, it will be replaced by the corresponding SSM parameter value. If no environment variable starts with ssm://, no API calls are made, and the original environment variables are returned unchanged.

In the following example, ssmenv fetches the value stored under the /some_parameter/path key, and the returned map will contain the fetched value instead of the original key.

os.Setenv("SOME_ENV", "ssm:///some_parameter/path")

awsConfig, err := awsconfig.LoadDefaultConfig(ctx)
if err != nil {
  return errors.Wrap(err, "failed to load AWS config")
}
ssmClient := ssm.NewFromConfig(awsConfig)
replacedEnv, err := ssmenv.ReplacedEnv(ctx, ssmClient, os.Environ())
if err != nil {
  return errors.Wrap(err, "failed to fetch replaced env")
}
config, err := env.ParseAsWithOptions[appconfig.Config](env.Options{
  Environment: replacedEnv,
})
if err != nil {
  return errors.Wrap(err, "failed to process config from env")
}

An example with env package:

replacedEnv, err := ssmenv.ReplacedEnv(ctx, ssmClient, os.Environ())
if err != nil {
  return errors.Wrap(err, "failed to fetch replaced env")
}
config, err := env.ParseAsWithOptions[appconfig.Config](env.Options{
  Environment: replacedEnv,
})
if err != nil {
  return errors.Wrap(err, "failed to process config from env")
}

Acknowledgements

The approach of replacing environment variable values that start with the ssm:// format was inspired by remind101/ssm-env.

The approach used by ssmenv (this library) differs from ssm-env in that it avoids passing secrets through environment variables, as this is generally not considered a best practice for security. Environment variables can sometimes be exposed in logs, error messages, or system dumps, so it's safer to handle sensitive data directly within the application.