stekern · stekern · Jan 7, 2026
diff --git a/assets/basic-auth-bucket/adapters.ts b/assets/basic-auth-bucket/adapters.ts
@@ -1,4 +1,5 @@
 import { SecretsManager } from "@aws-sdk/client-secrets-manager"
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm"
 import type { ICache, ISecretStore } from "./ports"
 
 export class SecretStore implements ISecretStore {
@@ -30,6 +31,31 @@ export class InMemorySecretStore implements ISecretStore {
   }
 }
 
+export class ParameterStore implements ISecretStore {
+  private client: SSMClient
+  constructor() {
+    this.client = new SSMClient({
+      // To avoid the need for cross region replication of parameters
+      region: "us-east-1",
+    })
+  }
+  async getSecret(secretName: string): Promise<string | undefined> {
+    let secret
+    try {
+      const result = await this.client.send(
+        new GetParameterCommand({
+          Name: secretName,
+          WithDecryption: true,
+        }),
+      )
+      secret = result.Parameter?.Value
+    } catch (e) {
+      console.error(e)
+    }
+    return secret
+  }
+}
+
 export class InMemoryCache implements ICache {
   private cache: Record<string, unknown>
   constructor() {

diff --git a/assets/basic-auth-bucket/index.ts b/assets/basic-auth-bucket/index.ts
@@ -1,8 +1,11 @@
 import type * as lambdaTypes from "aws-lambda"
-import { InMemoryCache, SecretStore } from "./adapters"
+import { InMemoryCache, ParameterStore, SecretStore } from "./adapters"
 import { AuthorizeRequest } from "./core"
 
-const secretStore = new SecretStore()
+const secretStore =
+  process.env.SECRET_TYPE === "parameter-store"
+    ? new ParameterStore()
+    : new SecretStore()
 const cache = new InMemoryCache()
 
 export const handler: lambdaTypes.CloudFrontRequestHandler = async (event) => {

diff --git a/assets/github-cookie-auth/authorizer.ts b/assets/github-cookie-auth/authorizer.ts
@@ -1,14 +1,30 @@
 import { DynamoDB } from "@aws-sdk/client-dynamodb"
 import { KMS } from "@aws-sdk/client-kms"
 import { SecretsManager } from "@aws-sdk/client-secrets-manager"
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm"
 import { DynamoDBDocument } from "@aws-sdk/lib-dynamodb"
 import type * as octokitTypes from "@octokit/types"
 import type * as lambdaTypes from "aws-lambda"
 import { getCookieValue, httpRequest } from "./lib"
 
 const secretsManager = new SecretsManager()
+const ssmClient = new SSMClient({})
 const kms = new KMS()
 
+async function getSecretValue(
+  name: string,
+  type: string,
+): Promise<string | undefined> {
+  if (type === "parameter-store") {
+    const result = await ssmClient.send(
+      new GetParameterCommand({ Name: name, WithDecryption: true }),
+    )
+    return result.Parameter?.Value
+  }
+  const result = await secretsManager.getSecretValue({ SecretId: name })
+  return result.SecretString
+}
+
 const dynamodb = DynamoDBDocument.from(new DynamoDB())
 
 const getGitHubAppInstallationsForUser = async (
@@ -57,6 +73,7 @@ export const handler = async (
     accessControl,
     allowedOrigin,
     secretName,
+    secretType,
     authCookieEncryptionKeyArn,
     authCookieName,
     gitHubAppId,
@@ -71,6 +88,7 @@ export const handler = async (
       : undefined,
     process.env.ALLOWED_ORIGIN,
     process.env.SECRET_NAME,
+    process.env.SECRET_TYPE || "secrets-manager",
     process.env.AUTH_COOKIE_ENCRYPTION_KEY_ARN,
     process.env.AUTH_COOKIE_NAME,
     process.env.GITHUB_APP_ID,
@@ -143,19 +161,16 @@ export const handler = async (
     throw new Error("Unauthenticated")
   }
 
-  const secret = await secretsManager.getSecretValue({
-    SecretId: secretName,
-  })
-
-  const secrets = secret.SecretString
-    ? (JSON.parse(secret.SecretString) as {
+  const secretString = await getSecretValue(secretName, secretType)
+  const secrets = secretString
+    ? (JSON.parse(secretString) as {
         clientId: string
         clientSecret: string
       })
     : null
 
   if (!secrets || !secrets.clientId || !secrets.clientSecret) {
-    console.error("Could not properly read secrets from Secrets Manager")
+    console.error("Could not properly read secret")
     throw new Error("Unauthenticated")
   }
 

diff --git a/assets/github-cookie-auth/oauth-flow-callback.ts b/assets/github-cookie-auth/oauth-flow-callback.ts
@@ -1,12 +1,28 @@
 import { createHash } from "node:crypto"
 import { KMS } from "@aws-sdk/client-kms"
 import { SecretsManager } from "@aws-sdk/client-secrets-manager"
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm"
 import type * as lambdaTypes from "aws-lambda"
 import { getCookieValue, httpRequest } from "./lib"
 
 const secretsManager = new SecretsManager()
+const ssmClient = new SSMClient({})
 const kms = new KMS()
 
+async function getSecretValue(
+  name: string,
+  type: string,
+): Promise<string | undefined> {
+  if (type === "parameter-store") {
+    const result = await ssmClient.send(
+      new GetParameterCommand({ Name: name, WithDecryption: true }),
+    )
+    return result.Parameter?.Value
+  }
+  const result = await secretsManager.getSecretValue({ SecretId: name })
+  return result.SecretString
+}
+
 export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
   const [
     nonceCookieName,
@@ -15,6 +31,7 @@ export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
     authCookieEncryptionKeyArn,
     responseHeaders,
     secretName,
+    secretType,
     redirectUrl,
   ] = [
     process.env.NONCE_COOKIE_NAME,
@@ -25,6 +42,7 @@ export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
       ? (JSON.parse(process.env.RESPONSE_HEADERS) as Record<string, string>)
       : undefined,
     process.env.SECRET_NAME,
+    process.env.SECRET_TYPE || "secrets-manager",
     process.env.REDIRECT_URL,
   ]
   if (
@@ -80,18 +98,15 @@ export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
   }
 
   // Perform code exchange
-  const secret = await secretsManager.getSecretValue({
-    SecretId: secretName,
-  })
-
-  const secrets = secret.SecretString
-    ? (JSON.parse(secret.SecretString) as {
+  const secretString = await getSecretValue(secretName, secretType)
+  const secrets = secretString
+    ? (JSON.parse(secretString) as {
         clientId: string
         clientSecret: string
       })
     : null
   if (!secrets || !secrets.clientId || !secrets.clientSecret) {
-    console.error("Could not properly read secrets from Secrets Manager")
+    console.error("Could not properly read secret")
     return {
       headers: {
         ...responseHeaders,

diff --git a/assets/github-cookie-auth/oauth-flow-request.ts b/assets/github-cookie-auth/oauth-flow-request.ts
@@ -1,9 +1,25 @@
 import { createHash } from "node:crypto"
 import { SecretsManager } from "@aws-sdk/client-secrets-manager"
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm"
 import type * as lambdaTypes from "aws-lambda"
 import { generateRandomString, getUrlWithEncodedQueryParams } from "./lib"
 
 const secretsManager = new SecretsManager()
+const ssmClient = new SSMClient({})
+
+async function getSecretValue(
+  name: string,
+  type: string,
+): Promise<string | undefined> {
+  if (type === "parameter-store") {
+    const result = await ssmClient.send(
+      new GetParameterCommand({ Name: name, WithDecryption: true }),
+    )
+    return result.Parameter?.Value
+  }
+  const result = await secretsManager.getSecretValue({ SecretId: name })
+  return result.SecretString
+}
 
 export const handler = async (_event: lambdaTypes.APIGatewayProxyEvent) => {
   const [
@@ -12,6 +28,7 @@ export const handler = async (_event: lambdaTypes.APIGatewayProxyEvent) => {
     callbackUrl,
     responseHeaders,
     secretName,
+    secretType,
   ] = [
     process.env.NONCE_COOKIE_NAME,
     process.env.NONCE_COOKIE_ATTRIBUTES,
@@ -20,6 +37,7 @@ export const handler = async (_event: lambdaTypes.APIGatewayProxyEvent) => {
       ? (JSON.parse(process.env.RESPONSE_HEADERS) as Record<string, string>)
       : undefined,
     process.env.SECRET_NAME,
+    process.env.SECRET_TYPE || "secrets-manager",
   ]
   if (!nonceCookieName || !secretName || !callbackUrl) {
     console.error("Missing required environment variables")
@@ -31,18 +49,15 @@ export const handler = async (_event: lambdaTypes.APIGatewayProxyEvent) => {
     }
   }
 
-  const secret = await secretsManager.getSecretValue({
-    SecretId: secretName,
-  })
-
-  const secrets = secret.SecretString
-    ? (JSON.parse(secret.SecretString) as {
+  const secretString = await getSecretValue(secretName, secretType)
+  const secrets = secretString
+    ? (JSON.parse(secretString) as {
         clientId: string
         clientSecret: string
       })
     : null
   if (!secrets || !secrets.clientId || !secrets.clientSecret) {
-    console.error("Could not properly read secrets from Secrets Manager")
+    console.error("Could not properly read secret")
     return {
       headers: {
         ...responseHeaders,

diff --git a/assets/github-push-webhook/webhook-receiver.ts b/assets/github-push-webhook/webhook-receiver.ts
@@ -1,11 +1,27 @@
 import { createHmac, timingSafeEqual } from "node:crypto"
 import { DynamoDB } from "@aws-sdk/client-dynamodb"
 import { SecretsManager } from "@aws-sdk/client-secrets-manager"
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm"
 import { DynamoDBDocument } from "@aws-sdk/lib-dynamodb"
 import type * as lambdaTypes from "aws-lambda"
 import type { DbPushEvent } from "./types"
 
 const secretsManager = new SecretsManager()
+const ssmClient = new SSMClient({})
+
+async function getSecretValue(
+  name: string,
+  type: string,
+): Promise<string | undefined> {
+  if (type === "parameter-store") {
+    const result = await ssmClient.send(
+      new GetParameterCommand({ Name: name, WithDecryption: true }),
+    )
+    return result.Parameter?.Value
+  }
+  const result = await secretsManager.getSecretValue({ SecretId: name })
+  return result.SecretString
+}
 
 const dynamodb = DynamoDBDocument.from(new DynamoDB())
 
@@ -24,6 +40,7 @@ export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
 
   const tableName = process.env.TABLE_NAME
   const secretName = process.env.SECRET_NAME
+  const secretType = process.env.SECRET_TYPE || "secrets-manager"
 
   if (!tableName || !secretName) {
     console.error("Missing required environment variables")
@@ -47,13 +64,9 @@ export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
     }
   }
 
-  const secret = await secretsManager.getSecretValue({
-    SecretId: secretName,
-  })
-
-  const secretToken = secret.SecretString || null
+  const secretToken = await getSecretValue(secretName, secretType)
   if (!secretToken) {
-    console.error("Could not properly read secret from Secrets Manager")
+    console.error("Could not properly read secret")
     return {
       statusCode: 500,
     }

diff --git a/assets/github-workflow-run-webhook-receiver/index.ts b/assets/github-workflow-run-webhook-receiver/index.ts
@@ -2,14 +2,30 @@ import { createHmac } from "node:crypto"
 import { timingSafeEqual } from "node:crypto"
 import { DynamoDB } from "@aws-sdk/client-dynamodb"
 import { SecretsManager } from "@aws-sdk/client-secrets-manager"
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm"
 import { DynamoDBDocument } from "@aws-sdk/lib-dynamodb"
 import type * as octokitWebhooksTypes from "@octokit/webhooks-types"
 import type { ServiceException } from "@smithy/smithy-client"
 import type * as lambdaTypes from "aws-lambda"
 
 const secretsManager = new SecretsManager()
+const ssmClient = new SSMClient({})
 const dynamodb = DynamoDBDocument.from(new DynamoDB())
 
+async function getSecretValue(
+  name: string,
+  type: string,
+): Promise<string | undefined> {
+  if (type === "parameter-store") {
+    const result = await ssmClient.send(
+      new GetParameterCommand({ Name: name, WithDecryption: true }),
+    )
+    return result.Parameter?.Value
+  }
+  const result = await secretsManager.getSecretValue({ SecretId: name })
+  return result.SecretString
+}
+
 export const timingSafeStringComparison = (a: string, b: string) => {
   try {
     return timingSafeEqual(Buffer.from(a, "utf8"), Buffer.from(b, "utf8"))
@@ -32,6 +48,7 @@ export const isAWSError = (arg: unknown): arg is ServiceException => {
 export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
   const tableName = process.env.TABLE_NAME
   const secretName = process.env.SECRET_NAME
+  const secretType = process.env.SECRET_TYPE || "secrets-manager"
   const gitHubAppId = process.env.GITHUB_APP_ID
 
   if (!tableName || !secretName || !gitHubAppId) {
@@ -56,13 +73,9 @@ export const handler = async (event: lambdaTypes.APIGatewayProxyEvent) => {
     }
   }
 
-  const secret = await secretsManager.getSecretValue({
-    SecretId: secretName,
-  })
-
-  const secretToken = secret.SecretString || null
+  const secretToken = await getSecretValue(secretName, secretType)
   if (!secretToken) {
-    console.error("Could not properly read secret from Secrets Manager")
+    console.error("Could not properly read secret")
     return {
       statusCode: 500,
     }