Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value should support Dynamic References to AWS Systems Manager Parameter Store Secure Strings #227

candrews opened this issue Oct 18, 2019 · 2 comments


Copy link

@candrews candrews commented Oct 18, 2019

AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value (environment variables values) should support Dynamic References to AWS Systems Manager Parameter Store Secure Strings.

Currently, Dynamic References to AWS Systems Manager Parameter Store Secure Strings are only supported in a limited set of places. It would be nice if they were supported in Beanstalk environment variable values (which are specified in CloudFormation at AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value).

This should would allow the Beanstalk application to see an environment variable named `` with value supersecret when defined by this CloudFormation template fragment:

AWSTemplateFormatVersion: '2010-09-09'
    Type: AWS::ElasticBeanstalk::Environment
          Namespace: "aws:elasticbeanstalk:application:environment"
          Value: !Sub "{{resolve:ssm-secure-env:/my/parameter:42}}"

6. Category (required) - Will help with tagging and be easier to find by other users to +1

Use the categories as displayed in the AWS Management Console (simplified):

  1. Compute (Elastic Beanstalk)

This comment has been minimized.

Copy link

@candrews candrews commented Oct 18, 2019

It's possible to hack something like this using an ebextension today, but it really should be easier and supported directly in AWS.


This comment has been minimized.

Copy link

@eballetbaz eballetbaz commented Nov 14, 2019

For information, this feature is already partially implemented into Beanstalk.
It is working with non-secure parameters which specify the version:


I tested with platform :
Tomcat 8.5 with Java 8 running on 64bit Amazon Linux/3.3.0

Other options are not working (but pattern is recognized)

Secure reference, i.e. {{resolve:ssm-secure:DB_PASSWORD:1}} shows error:

Service:AmazonCloudFormation, Message:SSM Secure reference is not supported in: [AWS::CloudFormation::WaitConditionHandle/Metadata/AWS::ElasticBeanstalk::Ext/Parameters/EnvironmentVariables,AWS::AutoScaling::AutoScalingGroup/Metadata/AWS::ElasticBeanstalk::Ext/_ContainerConfigFileContent/optionsettings/aws:elasticbeanstalk:application:environment]

References without version, i.e. {{resolve:ssm-secure:DB_PASSWORD}} shows error:

Service:AmazonCloudFormation, Message:Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:DB_PASSWORD}}]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.