Tips for Storing Secrets with AWS SSM Parameter Store
What you must know before reaching thousands of parameters.
What is AWS SSM Parameter Store?
AWS Systems Manager Parameter Store provides secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.
Why Carbon adopted AWS SSM Parameter Store?
Following best practices is almost like a curse when delivering fast matters. It is a good thing that we have a company culture where we promote the adoption of best practices so we don’t see it as a curse but a way of life and a blessing. With our DevSecOps approach, for example, we’ve automated some security functions that scan through codes, send a slack notification to the security team and delete any hardcoded credentials found in the code thus reducing risk to the business.
We have multiple teams using AWS to build and deploy services. Those teams need to securely store credentials used in building their services. This is where the AWS SSM parameter made sense. We use AWS IAM to manage those who can have access and AWS KMS to provide encryption.
What we wished we had known before our SSM parameters increased.
Searching for parameters would be painful.
We have about 350 micro-services in 3 different environments and about 2k parameters not counting unique version numbers. Due to our large number of parameters, it became difficult to search for parameters via the AWS Console. You will find it painful searching by regex and/or path.
Reaching numbers like 1k, 2k or 5k secret parameters would indicate significant success in growth for a business professional depending on the context, but for a cloud operations engineer on AWS, it could mean the beginning of chaos. When we started using the AWS SSM Parameter store, we didn’t put our vision glass on. We were just creating secrets with any name or path that made sense. All it took was a 1-LOC, One line-of-code via the AWS CLI to store a resource secret securely.
aws ssm put-parameter --name "Carbon" --value "Best Digital Bank Mobile App" --type SecureString --key-id alias/sre-teamOr we could go a little further since we operate multiple AWS regions
aws ssm put-parameter --name "Carbon" --value "Best Digital Bank Mobile App" --type SecureString --key-id alias/sre-team --region us-west-2Tips on how to search for parameters
- Standardize. Have a unique format across the organization that everyone adheres to. You can use that format to search easily. This has helped us to scale safely.
/<department_name>/<environment_name>/<service_name>/<credential-to-store>- Use AWS CLI to search. Search through all parameters with the output as plain text, then, slice and dice using regex or grep
Some Useful CLI Queries to help you search
My favorite Command API call is the get-parameters-by-path
Note: This API action doesn’t support filtering by tags.
/<department_name>/<environment_name>/<service_name>/<credential-to-store>If you adopt the format above for naming your parameters by path, the command below will help you search down to the root hierarchy you specify e.g <department_name>.
aws ssm get-parameters-by-path --query 'Parameters[*].[Name, Description, Type, Value]' --path /<department_name>/ --recursive --with-decryption --region eu-west-1 --output textYou can do more with grep
aws ssm get-parameters-by-path --query 'Parameters[*].[Name, Description, Type, Value]' --path /<department_name>/ --recursive --with-decryption --region eu-west-1 --output text | grep urlMore …
aws ssm describe-parameters --query 'Parameters[*].[Name, Description, Type]' --region us-west-2 --output table | grep db-url | awk '{print $3}'More Examples:
Create a Secure String Parameter (AWS CLI)
Run the following command to create a parameter.
aws ssm put-parameter — name “parameter_name” — value “parameter value” — type SecureString — key-id “alias name"aws ssm put-parameter --name /Finance/Payroll/QuickbookSheetPassd --value "WaYrewW)ou" --type SecureString --key-id alias/finance
Run the following command to verify the details of the parameter.
aws ssm get-parameters --name "/Finance/Payroll/QuickbookSheetPassd" --with-decryptionThank You!!!
