Is there a local development mode for AWS SSM?

Question

Absolute SSM noob here, currently we use SSM in our lambda function, and to use it we simple import the SSM class and instantiate an instance, the constructor does the env var injections.

from aws_ssm import SSM
ssm = SSM()

While this works as expected when running on AWS Lambda, but it doesn't work well in our local computer, typically our local accounts not setup with SSM.

In order to bypass the SSM and load the vars from actual existing env vars, I will have to add a switch:

if not os.environ.get('NO_SSM'):
    from aws_ssm import SSM
    ssm = SSM()

And this seems like a hack to me (especially False False condition to make it right), I am just wondering if there is a proper way to do it for local development?

Just thinking again, it would have been better to reverse the situation originally to only use SSM when USE_SSM env is defined:

if os.environ.get('USE_SSM'):
    from aws_ssm import SSM
    ssm = SSM()

Answer 1

Just create a policy like below and grant to your user, than you might keep using the same strategy local or in lambda.

PS: I checked here and it works like a charm!

You also might check my PoC Lambda SSM project. In this project I use serverless to develop lambda and it works invoking locally by using invoke local -f hello_ssm.

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:139486740103:parameter/my-secure-param"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:139486740103:key/alias/aws/ssm"
            ],
            "Effect": "Allow"
        }
    ]
}