Is it possible to share Parameter Store keys in another AWS Account for same region?

Question

The use case: The database credentials are stored in Parameter Store for an AWS source Account and we need to share such credentials with other AWS Account.

I know the recommendation is to use System Manager, but that is not a valid option for custom reasons.

We won't access Parameter Store from a Lambda inside another AWS Account/VPC. Instead, we need to access such keys from the AWS CLI to fill in the application environment variables at build time - again, it's not ideal. 🤷‍♂️

In summary, we have an AWS Cross-Account / Same region / IAM user (another account) scenario to access the Parameter Store keys from the source AWS Account.

Thanks in advance for any kind of guidance/direction 👊

Answer 1

I think you could create an IAM Role in the account with parameter store, give that Role permission to access parameter store, and configure it to let the IAM user you created in the other account to assume that Role and do what it needs.

Something like aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session and then aws ssm get-parameter --name "MyStringParameter"