Environment variables with AWS SSM Run Command

0
votes

I am using AWS SSM Run Command with the AWS-RunShellScript document to run a script on an AWS Linux 1 instance. Part of the script includes using an environment variable. When I run the script myself, everything is fine. But when I run the script with SSM, it can't see the environment variable. This variable needs to be passed to a Python script. I had originally been trying os.environ['VARIABLE'] to no effect.

I know that AWS SSM uses root privileges and so I have put a line exporting the variable in the root ~/.bashrc file, yet it still can not see the variable. The root user can see it when I run it myself. Is it not possible for AWS SSM to use environment variables, or am I not exporting it correctly? If it is not possible, I'll try using AWS KMS instead to store my variable.

~/.bashrc

export VARIABLE="VALUE"

script.sh

"$VARIABLE"

Security is important, hence why I don't want to just store the variable in the script.

2
amazon-web-servicesenvironment-variablesaws-ssm

2 Answers

4
votes

SSM does not open an actual SSH session so passing environment variables won't work. It's essential a daemon running on the box that's taking your requests and processing them. It's a very basic product: it doesn't support any of the standard features that come with SSH such as SCP, port forwarding, tunneling, passing of env variables etc. An alternative way of passing a value you need to a script would be to store it in AWS Systems Manager Parameter Store, and have your script pull the variable from the store.
You'll need to update your instance role permissions to have access to ssm:GetParameters for the script you run to access the value stored.

0
votes

I am running bash script in my SSM command document, so I just source the profile/script to have env variables ready to be used by the subsequent commands. For example,

"runCommand": [
      "#!/bin/bash",
      ". /tmp/setEnv.sh",
      "echo \"myVar: $myVar, myVar2: $myVar2\""
]

You can refer to Can a shell script set environment variables of the calling shell? for sourcing your env variables. For python, you will have to parse your source profile/script, see Emulating Bash 'source' in Python