awless icon indicating copy to clipboard operation
awless copied to clipboard

Published 20 hours ago verified publisher icon wallix

aws ssm parameters

Open brunetto opened this issue 7 years ago • 8 comments

Hi, is there a way I didn't find to interact with the SSM service to store and retrieve parameters?

Thanks

brunetto avatar Sep 28 '17 09:09 brunetto

Hi @brunetto, there is no integration of SSM as for now, but it seems some good features could be done.

As always with awless we integrate AWS features & services in order to simplify and improve their usage. In your case, are you thinking of the Parameter Store feature of SSM?

If you have any detailed use case or idea of good usage you would like to see with awless, do let us know here.

simcap avatar Sep 28 '17 10:09 simcap

Ok, thank you @simcap. I'll read more carefully the AWS docs and think about it and then let you know.

Thank you, and thank you for the great job with awless.

brunetto avatar Sep 28 '17 10:09 brunetto

@brunetto I was thinking about support for SSM params too, we are using it as configuration storage. You can check this lambda func that we wrote: https://github.com/getsocial-rnd/git2params

taraspos avatar Sep 28 '17 13:09 taraspos

Thanks @Trane9991, very nice!! Maybe my considerations and answer are not the best because I'm still quite new to all the AWS "mess". 😆 However, I need to access the parameter store to retrieve some sensitive information (like passwords) to be used in ECS containers. The alternative are files or env variables that are not very safe as approach. Because my application is in Go, I managed to retrieve the parameter directly from the application in few lines. Now I'm trying to understand if it is ok or there is a better option.

The code is like:

package main

import (
	"log"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/ssm"
)

func main() {
	s := session.Must(session.NewSession(&aws.Config{}))
	svc := ssm.New(s)

	name := "PARAMETER_NAME"
	names := []*string{&name}
	withDecryption := true

	params := &ssm.GetParametersInput{
		Names: names,
		WithDecryption: &withDecryption,
	}
	resp, err := svc.GetParameters(params)
	if err != nil {
		log.Fatal(err)
	}
        p :=  *resp.Parameters[0].Value
	log.Println("Parameter is %s", p)
}

brunetto avatar Sep 28 '17 14:09 brunetto

+1 to this .

Looking to store a GPG passphrase in an SSM parameter. Terraform stores a plaintext copy of the values of SecureString in state, which kinda defeats the point of using them.

awilkins avatar Feb 05 '18 15:02 awilkins

Unfortunately, we will not be able able to work on that in February. We will review this issue in March and see how best to implement and use it.

simcap avatar Feb 06 '18 10:02 simcap

Has any progress been able to be accomplished towards this effort?

lanceofwhichwedream avatar Oct 24 '18 16:10 lanceofwhichwedream

Working with the AWS SSM Parameter UI is not fun at all. The AWS CLI is not much better. Here is an example to get the metadata of a secret (not the secret value):

aws ssm describe-parameters --filters "Key=Name,Values=/mygroup/mysecret"
{
    "Parameters": [
        {
            "Name": "/mygroup/mysecret",
            "Type": "String",
            "LastModifiedDate": 1548900241.782,
            "LastModifiedUser": "arn:aws:iam::00000000:user/SomeUser",
            "Version": 2
        }
    ]
}

What I would like to be able to do something similar to:

awless list parameters
awless list parameters "/the/path/to/my/secrets"
awless show parameter "/the/path/to/my/secrets/database"

Parameters could be shortened to params and param.

Jeeppler avatar Mar 12 '19 17:03 Jeeppler