When there are deployments across environments, it is unsafe from a security standpoint to store critical information like DB passwords, connection strings, etc., in version control with limited access. Some use vaults to store the values, which is difficult to maintain, and in worst scenarios, they hardcode the values in their code stored in their versioning system. This is not good practice as it might broaden your security gaps.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data and secrets management. You can store your configuration values, such as passwords, database credentials, etc., at no extra cost.
You can store 3 different types of data:
- String
- String List
- Secure String
Let’s focus on Secure String in this blog, as this is stored as encrypted values with the help of KMS, and see how we can store and retrieve the keys. Parameter Store supports hierarchies. What it means is that the keys are stored in a more structured way. Let’s understand it with the help of an example:
Suppose you want to store the key named ‘abc’ for the application named ‘TestApp’ and the Production environment.
We will be storing it as: /Prod/TestApp/abc
Adding Keys:
You can add the keys via AWS console or create them programmatically using API/SDK/CLI.
To add keys through AWS SSM Console:
- Sign in to your AWS Console and select an appropriate region.
- Under Services, click on Systems Manager.
- On the left side pane, scroll down and click on the Parameter Store.
- Click on Create Parameter.
- Enter the Name of the keys you want to store. Example /Prod/TestApp/abc
- Enter the Description(Optional)
- Select Secure String. Under KMS key source, select My current account if you want to use the KMS key present in your account.
- From the drop-down list, select the KMS Key ID you want to use to encrypt the values.
- Enter the Value which you need to store and click on the Create Parameter.
Accessing Values:
To access these values in your application, you can use AWS API/SDK/CLI or view it on the Console. As an example, how you can retrieve it using AWS CLI command.
aws --region=us-east-1 ssm get-parameters --names \"/Prod/TestApp/abc \" --with-decryption
This will return the decrypted value. The user or role running this command should have access to use the KMS key to execute this command successfully.
More information can be found at :https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.htm
