Storing Secrets in Parameter Store

Sssh! It's a Secret

Purpose

To add a secret to Parameter Store and then see that secret via the command line. The goal here is to get a basic understanding of how AWS Parameter Store works and how to view secrets via the AWS CLI.

What is Parameter Store?

Parameter Store is a way to store parameters. Obviously. However, according to AWS “Parameter Store, a capability of AWS Systems Manager provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.”

First, let's go to the AWS Console → Systems Manager → Parameter Store

Once in Parameter Store go to Create parameter.

• Give our parameter a name
• Use Standard Tier
• Set its Type to SecureString
• My current account
• Value is whatever you choose to put in here as your parameter
• You can give your parameter a tag if you wish to be more organized
• Create parameter

Now this will Click on your Parameter in the table, and this will redirect you to your parameter and you can. Click on show to see the value.

Using AWS CLI

Now let's see our Parameter in the CLI!

• Make your way to the terminal of your choice
• Install the AWS CLI if you have not already, follow these instructions AWS CLI, or use brew install awscli if on MacOS.
• Run aws configure and put in your keys and region
• Since our secret is a SecureString then we will run

aws ssm get-parameter --name "secret name"

This will return our parameter but in an encrypted format. To see our secret we need to run the decrypt flag.

aws ssm get-parameter --name "secret name" --with-decryption

This will return our parameter along with its name and the type and all the information you need. If you wanted to see our parameter with less noise then you can pipe our parameter. First, install “jq”.

brew install jq

Then run the following and you will get this returned.

Recap!

To recap we used the AWS Console to create a parameter, then we used the AWS CLI to see our parameter.