Skip to content

Encrypt bootstrap SSM parameter to survive org re-encryption policies#6857

Open
HeathHopkins wants to merge 1 commit into
anomalyco:devfrom
HeathHopkins:encrypt-bootstrap-ssm-parameter
Open

Encrypt bootstrap SSM parameter to survive org re-encryption policies#6857
HeathHopkins wants to merge 1 commit into
anomalyco:devfrom
HeathHopkins:encrypt-bootstrap-ssm-parameter

Conversation

@HeathHopkins
Copy link
Copy Markdown

@HeathHopkins HeathHopkins commented May 4, 2026

Closes #6856

Summary

  • Change the /sst/bootstrap SSM parameter from String to SecureString and read it with WithDecryption: true
  • Prevents breakage when an AWS organization policy automatically re-encrypts unencrypted SSM parameters
  • Matches the pattern already used by the passphrase parameter in the same file

Motivation

Some AWS organizations enforce policies that automatically convert unencrypted SSM parameters to SecureString. Once this happens, the bootstrap parameter becomes unreadable because SST calls GetParameter with WithDecryption: false, which returns encrypted ciphertext instead of the plaintext JSON.

Changes

Two changes in pkg/project/provider/aws.go inside Bootstrap():

  1. GetParameter for /sst/bootstrap: WithDecryption changed from false to true
  2. PutParameter for /sst/bootstrap: Type changed from ParameterTypeString to ParameterTypeSecureString

Backward Compatibility

This is safe for existing deployments with unencrypted String bootstrap parameters:

  • Reading: From the AWS docs, WithDecryption "is ignored for String and StringList parameter types." Existing unencrypted parameters are returned identically.
  • Writing: The parameter is only rewritten when the bootstrap version advances. At that point, PutParameter with Overwrite: true allows changing the type from String to SecureString seamlessly.

Encrypt bootstrap SSM parameter to survive org re-encryption policies
1fdae8c 
  Change the /sst/bootstrap SSM parameter from String to SecureString and
  read it with WithDecryption: true. This prevents breakage when an AWS
  organization policy automatically re-encrypts unencrypted SSM parameters.

  Backward-compatible: WithDecryption is a no-op for existing String
  parameters, and PutParameter with Overwrite allows upgrading String to
  SecureString on the next bootstrap version bump.

  Matches the pattern already used by the passphrase parameter.
@vimtor
Copy link
Copy Markdown
Collaborator

vimtor commented May 20, 2026

i don't think this is backward-compatible

WithDecryption: true is safe for reads, but PutParameter cannot change an existing parameter from String to SecureString; AWS returns HierarchyTypeMismatchException:
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html#API_PutParameter_Errors

so existing accounts with /sst/bootstrap as String may fail on the next bootstrap rewrite

also, SecureString needs KMS permissions (kms:Encrypt/kms:Decrypt):
https://docs.aws.amazon.com/systems-manager/latest/userguide/secure-string-parameter-kms-encryption.html#parameter-policy-kms-encryption

that matters for SST because our least-privilege bootstrap policy in www/src/content/docs/docs/iam-credentials.mdx only grants SSM access for /sst/bootstrap, so this could break users following our IAM docs unless we update it too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Some orgs force SSM Parameter encryption which breaks the bootstrap version check

2 participants

@HeathHopkins @vimtor