SSMAgent: Invalid parameters when using parameter store pass-through to SecretsManager {{ssm:/aws/reference/secretsmanager/Secret}}

[99RareCandiez]

I am seeing an error with amazon-ssm-agent when attempting to use AWS-RunPowerShellScript with variable in the format {{ssm:*}} to retrieve from parameter store(secrets manager pass-through)

My agent version is 3.3.1142.0
My OS is Windows Server 2022 (build 20348.2762)

It works fine when using {{ssm:parametername}} but when using {{ssm:/aws/reference/secretsmanager/secretname}} it fails to validate with the error 2024-11-12 15:05:19.1463 ERROR [ssm-agent-worker] [MessageService] [MGSInteractor] dropping message because cannot parse AgentJob message 0b567543-j549-5b77-t83i-37986frf3a13 to Document State, err: Input contains invalid parameters [/aws/reference/secretsmanager/Secret]

My code is below:
Send-SSMCommand -InstanceId $instance_id -DocumentName 'AWS-RunPowerShellScript' -Parameter @{commands = "`$secret_viaProxy = '{{ssm:/aws/reference/secretsmanager/Secret}}'" }

The formatting of the code above is not working quite right because of the backticks required by the actual command I had to add a few backticks to get it to format to code properly, but you can run the below sample to get the same results. This works if its in the format {{ssm:parameterWithNoSlashesToReferenceSecret}}
@{commands = "echo '{{ssm:/aws/reference/secretsmanager/Secret}}'"}

{{ssm:parametername}} works great as detailed here

Systems Manager also supports accessing secrets using Parameter store as a 'pass-through' to secrets manager formatted as /aws/reference/secretsmanager/Secret, and as detailed here

I believe some of the relevant sections are below:

amazon-ssm-agent/agent/ssm/ssmparameterresolver/resolverbridge.go

Line 27 in 1696013

var ssmParamReferencePattern = regexp.MustCompile(fmt.Sprintf("{{\\s*((?:%s|%s)[\\w-./]+)\\s*}}", ssmSecurePrefix, ssmNonSecurePrefix))

Here is where the 'Input contains invalid parameters' is coming from:

amazon-ssm-agent/agent/framework/docparser/parameterstore/parameterstore.go

Line 227 in 1696013

errorString := fmt.Errorf("Input contains invalid parameters %v", result.InvalidParameters)

Its from the function 'getSSMParameterValues' and the regex is below:

amazon-ssm-agent/agent/framework/docparser/parameterstore/parameterstore.go

Line 203 in 1696013

validParamRegex := ":([/\\w.:-]+)*"

This is supported by aws cli and aws tools for powershell

[99RareCandiez]

Anyone able to review this? Seems like it should be supported by the agent since the systems manager service supports it

[99RareCandiez]

Anyone able to reproduce this or look at it ? I'm no dev so can't make a pull request. Seems straight forward, if I need to add anything please let me know.