refactor: migrate Secrets Manager secrets to SSM Parameter Store (free tier)

src/lambdas/agent-runner/handler.py

@@ -163,11 +163,11 @@ def handler(event, context):
             user_profile['status'] = 'active'
             prompt = f"[System: User just registered with name '{name}'. Welcome them warmly and ask how you can help.]"
         else:
-            bot_token_secret_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
+            bot_token_secret_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SSM_PARAM', '')
             bot_token = ''
             if bot_token_secret_arn:
-                sm = boto3.client('secretsmanager', region_name='us-east-1')
-                bot_token = sm.get_secret_value(SecretId=bot_token_secret_arn)['SecretString']
+                ssm = boto3.client('ssm', region_name='us-east-1')
+                bot_token = ssm.get_parameter(Name=bot_token_secret_arn, WithDecryption=True)['Parameter']['Value']
             send_telegram_direct(chat_id, bot_token, "Hi! I don't recognize you yet. What's your name?", thread_id=message_thread_id)
             return
     # ── Get or create AgentCore session ──────────────────────────────────
@@ -212,7 +212,7 @@ def handler(event, context):
             'type': channel,
             'target_id': str(chat_id),
             'message_thread_id': message_thread_id,
-            'bot_token_secret_arn': os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', ''),
+            'bot_token_secret_arn': os.environ.get('TELEGRAM_BOT_TOKEN_SSM_PARAM', ''),
         },
     }
 
@@ -232,11 +232,11 @@ def handler(event, context):
 
     # Process streaming response: buffer text chunks and send to Telegram as paragraphs arrive
     bot_token = ''
-    bot_token_secret_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
-    if bot_token_secret_arn:
-        sm = boto3.client('secretsmanager', region_name='us-east-1')
+    bot_token_param = os.environ.get('TELEGRAM_BOT_TOKEN_SSM_PARAM', '')
+    if bot_token_param:
+        ssm = boto3.client('ssm', region_name='us-east-1')
         try:
-            bot_token = sm.get_secret_value(SecretId=bot_token_secret_arn)['SecretString']
+            bot_token = ssm.get_parameter(Name=bot_token_param, WithDecryption=True)['Parameter']['Value']
         except Exception as e:
             print(f'[agent-runner] Failed to get bot token: {e}')
 

src/lambdas/oauth-handler/handler.py

@@ -44,9 +44,10 @@ def get_ddb():
 
 
 def get_oauth_client() -> tuple[str, str]:
-    """Return (client_id, client_secret) from Secrets Manager."""
-    arn = os.environ['GOOGLE_OAUTH_CLIENT_SECRET_ARN']
-    secret = json.loads(get_sm().get_secret_value(SecretId=arn)['SecretString'])
+    """Return (client_id, client_secret) from SSM Parameter Store."""
+    param_name = os.environ['GOOGLE_OAUTH_CLIENT_SSM_PARAM']
+    ssm = boto3.client('ssm', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
+    secret = json.loads(ssm.get_parameter(Name=param_name, WithDecryption=True)['Parameter']['Value'])
     return secret['client_id'], secret['client_secret']
 
 
@@ -222,10 +223,11 @@ def handle_callback(params: dict) -> dict:
 
     # Best-effort Telegram confirmation
     try:
-        bot_token_arn = os.environ.get('TELEGRAM_BOT_TOKEN_SECRET_ARN', '')
-        if bot_token_arn and actor_id.startswith('telegram:'):
+        bot_token_param = os.environ.get('TELEGRAM_BOT_TOKEN_SSM_PARAM', '')
+        if bot_token_param and actor_id.startswith('telegram:'):
             chat_id = actor_id.split(':', 1)[1]
-            bot_token = get_sm().get_secret_value(SecretId=bot_token_arn)['SecretString']
+            ssm = boto3.client('ssm', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
+            bot_token = ssm.get_parameter(Name=bot_token_param, WithDecryption=True)['Parameter']['Value']
             tg_text = f'✅ Connected {user_email} as "{label}"'
             tg_payload = json.dumps({'chat_id': chat_id, 'text': tg_text}).encode()
             tg_req = urllib.request.Request(

src/lambdas/scheduler/handler.py

@@ -11,8 +11,8 @@ def handler(event, context):
     rule_name = event['rule_name']
 
     # Fetch bot token
-    sm = boto3.client('secretsmanager', region_name='us-east-1')
-    token = sm.get_secret_value(SecretId=os.environ['TELEGRAM_BOT_TOKEN_SECRET_ARN'])['SecretString']
+    ssm = boto3.client('ssm', region_name='us-east-1')
+    token = ssm.get_parameter(Name=os.environ['TELEGRAM_BOT_TOKEN_SSM_PARAM'], WithDecryption=True)['Parameter']['Value']
 
     # Send Telegram message
     payload = json.dumps({'chat_id': chat_id, 'text': message}).encode()

src/lambdas/tg-ingest/handler.py

@@ -20,10 +20,11 @@ def get_bot_token() -> str:
     if _bot_token is None:
         with _token_lock:
             if _bot_token is None:
-                sm = boto3.client('secretsmanager')
-                _bot_token = sm.get_secret_value(
-                    SecretId=os.environ['TELEGRAM_BOT_TOKEN_SECRET_ARN']
-                )['SecretString']
+                ssm = boto3.client('ssm')
+                _bot_token = ssm.get_parameter(
+                    Name=os.environ['TELEGRAM_BOT_TOKEN_SSM_PARAM'],
+                    WithDecryption=True
+                )['Parameter']['Value']
     return _bot_token
 
 

src/lambdas/workspace-mcp/fetch_credentials.py

@@ -1,5 +1,5 @@
 """
-Fetch Google OAuth credentials and client secrets from Secrets Manager.
+Fetch Google OAuth credentials from SSM (client secret) and Secrets Manager (per-user tokens).
 Called by bootstrap before starting workspace-mcp.
 """
 import json
@@ -12,10 +12,11 @@ def main():
     sm = boto3.client('secretsmanager', region_name=region)
 
     # Fetch OAuth client credentials (client_id + client_secret)
-    client_secret_arn = os.environ.get('GOOGLE_OAUTH_CLIENT_SECRET_ARN')
-    if client_secret_arn:
+    client_secret_param = os.environ.get('GOOGLE_OAUTH_CLIENT_SSM_PARAM')
+    if client_secret_param:
         try:
-            client_creds = json.loads(sm.get_secret_value(SecretId=client_secret_arn)['SecretString'])
+            ssm = boto3.client('ssm', region_name=region)
+            client_creds = json.loads(ssm.get_parameter(Name=client_secret_param, WithDecryption=True)['Parameter']['Value'])
             os.environ['GOOGLE_OAUTH_CLIENT_ID'] = client_creds['client_id']
             os.environ['GOOGLE_OAUTH_CLIENT_SECRET'] = client_creds['client_secret']
             print('[fetch_credentials] OAuth client credentials loaded', file=sys.stderr)

src/lambdas/workspace-mcp/handler.py

@@ -21,11 +21,11 @@ def _setup_shared_environment():
     os.environ.setdefault('HOME', '/tmp')
     os.environ.setdefault('GOOGLE_WORKSPACE_MCP_CREDENTIALS_DIR', '/tmp/workspace_mcp_credentials')
 
-    client_arn = os.environ.get('GOOGLE_OAUTH_CLIENT_SECRET_ARN', '')
-    if client_arn:
+    client_param = os.environ.get('GOOGLE_OAUTH_CLIENT_SSM_PARAM', '')
+    if client_param:
         try:
-            sm = boto3.client('secretsmanager', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
-            client_creds = json.loads(sm.get_secret_value(SecretId=client_arn)['SecretString'])
+            ssm = boto3.client('ssm', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
+            client_creds = json.loads(ssm.get_parameter(Name=client_param, WithDecryption=True)['Parameter']['Value'])
             os.environ['GOOGLE_OAUTH_CLIENT_ID'] = client_creds['client_id']
             os.environ['GOOGLE_OAUTH_CLIENT_SECRET'] = client_creds['client_secret']
         except Exception as e: