Serverless — AWS Parameter Store

Dorian Machado
Sep 20 · 4 min read

Secure your secrets with the AWS Parameter Store will make your code agnostic and avoid to have “hardcoded” sensitive data in your sources.

Photo by Tim Evans on Unsplash

First of all let’s define what is AWS Parameter Store?

Is an AWS Service that provides secure & hierarchical storage for our configuration data and secrets management such as passwords, database strings, and license codes. The service is currently available in all regions

In this article we will take advantage of the Serverless Framework in order to retrieve our secrets stored in AWS Parameter Store.

Remember that all the source code we use in this article will be available in github.

OK folks, let’s get down to code 💻


First of all create a fresh serverless project as usual

sls create --template aws-nodejs --path test-parameter-store
cd test-parameter-store

Clean up the “serverless.yml” file to looks like the following

service: test-parameter-storeprovider:
name: aws
runtime: nodejs10.x
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get

As shown we already specified the path and method for our test function called “hello”.

If you have any questions about the previous steps I invite you to verify my previous articles “Serverless — Hello World”

Create the following Java Script function in the “handler.js” file

'use strict';module.exports.hello = async event => {
return {
statusCode: 200,
body: JSON.stringify(
{
message: 'Hello AWS Parameter Store'
}
),
};
};

Time to deploy 🚀

sls deploy

and test our EndPoints ⚡️

curl https://mllq4zsap9.execute-api.us-east-1.amazonaws.com/dev/hello

At this point nothing fancy everything under control, but now the good part is coming.


We will create a “parameter” in our AWS Parameter Store with the following command using the AWS cli

aws ssm put-parameter --name my-secret-string --value TOPsecretData --type String

Where “my-secret-string” is the name of the parameter and “TOPsecretData” is the value (the secret) we want to store in a safe way.

The output should looks like similar to this one

Also we can retrieve our recently uploaded parameter with this AWS cli command

aws ssm get-parameter --name my-secret-string

Specifying with the flag “- -name” the name of the parameter we want to get.

As you can see in the purple square we got the value of our secrets 🎉


Now we will configure in our “serverless.yml” file how to get the values from AWS Parameter Store and store it into an environment variable called “TOP_SECRET_VARIABLE”

service: test-parameter-storeprovider:
name: aws
runtime: nodejs10.x
environment:
TOP_SECRET_VARIABLE: ${ssm:my-secret-string}
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get

With the ${ssm:my-secret-string} we are indicating to the framework the name of the parameter we want to get the value from

The “handler.js” also will suffer a little chage

'use strict';module.exports.hello = async event => {
return {
statusCode: 200,
body: JSON.stringify(
{
message: 'Hello AWS Parameter Store2',
mySecret: process.env.TOP_SECRET_VARIABLE
}),
};
};

With the “process.env.TOP_SECRET_VARIABLE” we can get the environment variable specified in the “serverless.yml” file

Time to deploy again 🚀

sls deploy

And test the API again⚡️

curl https://mllq4zsap9.execute-api.us-east-1.amazonaws.com/dev/hello

We did it again 🎉, we got our secret stored in our AWS Parameter Store from our Java Script code.


Let’s test something, we will update the value of our parameter “my-secret-string” with the value “secretNewData12345” executing the following command:

aws ssm put-parameter --name my-secret-string --value secretNewData12345 --type String --overwrite
value updated

With the option “- -overwrite” we indicate to AWS Parameter Store to update the value of the parameter and in the output we got “Version: 2”. If the value is updated again, the expected output should be “Version: 3” and son on

Deploy again 🚀

sls deploy

And now call the API ⚡️

curl https://mllq4zsap9.execute-api.us-east-1.amazonaws.com/dev/hello

Congrats, we are becoming Serverless experts 🎉

Conclusions

AWS Parameter Store is a simple an strong service that will help us to store our secrets in an easy way, also the configuration in the framework to get the value of the parameters as environment variables and consume it from the Java Script code is pretty straight forward.

Remember: no more hardcoded sensitive data in your sources.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade