Hello world, it's the AWS parameter store
26 May 2021
Table of Contents
I’d like to help some cloud-newbie sysadmins write automation scripts that reduce the overhead for common tasks and therefore make them more appealing to do frequently (the whole idea behind “infrastructure as code”):
- Making changes that prevent issues with the connection between a production transactional database and its production data warehouse, after spinning up a new nonproduction data warehouse by cloning it from a production server (involves running thousands of commands involving dozens of passwords).
- Changing a database superuser’s password in all the places it needs to be changed so that no integrations break
For a “hello world” project, I decided to write a couple of Linux shell scripts that demonstrate the principle of injecting a secret password into the script at runtime using AWS Systems Manager Parameter Store to store the passwords.
Code
First, through the AWS web console, I created a SecureString in Parameter Store with a name of /pizza/flavors/first/
and a value of green pepper
.
Next, I put two shell scripts on a Linux machine that was logged into the AWS CLI tool with permission to manipulate the Parameter Store:
hellopizza.sh
var="I like $1 pizza";
echo "$var"
paramstore.sh
thekey="/pizza/flavors/$1";
thetopping=`aws ssm get-parameters --names $thekey --with-decryption --query "Parameters[*].{Value:Value}" --output text --region us-west-2`
./hellopizza.sh "$thetopping"
Tests
Success
To run my code, I typed:
./paramstore.sh first
And we have a winner! The output was:
I like green pepper pizza
Errors
Not yet having a key named second
, I tried this to make sure it would fail:
./paramstore.sh second
Sure enough, it did (note the double gap between like
and pizza
):
I like pizza
If I ran ./paramstore.sh first
without proper authentication, I would get one of the following two outputs:
An error occurred (ExpiredTokenException) when calling the GetParameters operation: The security token included in the request is expired
I like pizza
An error occurred (AccessDeniedException) when calling the GetParameters operation: User: MY_AWS_USERNAME is not authorized to perform: ssm:GetParameters on resource: MY_AWS_RESOURCE:parameter/C
I like pizza
Further thoughts
That was easy. Too easy. The “dozens of passwords” like green pepper
would only be needed by code running on the server during occasional sysadmin maintenance tasks.
I feel like the running machine shouldn’t normally have ssm:GetParameters
access, and that a sysadmin should have to go into AWS and flip it on before running these scripts, then flip it off as they finish. What do you think?
Future project
A future project might be to repeat this with AWS Secrets Manager.