Hello world, it’s the AWS parameter store

Katie - Jun 16 '21 - - Dev Community

I'd like to help some cloud-newbie sysadmins write automation scripts that reduce the overhead for common tasks and therefore make them more appealing to do frequently (the whole idea behind "infrastructure as code"):

  1. Making changes that prevent issues with the connection between a production transactional database and its production data warehouse, after spinning up a new nonproduction data warehouse by cloning it from a production server (involves running thousands of commands involving dozens of passwords).
  2. Changing a database superuser's password in all the places it needs to be changed so that no integrations break

For a "hello world" project, I decided to write a couple of Linux shell scripts that demonstrate the principle of injecting a secret password into the script at runtime using AWS Systems Manager Parameter Store to store the passwords.

Code

First, through the AWS web console, I created a SecureString in Parameter Store with a name of /pizza/flavors/first/ and a value of green pepper.

Next, I put two shell scripts on a Linux machine that was logged into the AWS CLI tool with permission to manipulate the Parameter Store:

hellopizza.sh

var="I like $1 pizza";
echo "$var"
Enter fullscreen mode Exit fullscreen mode

paramstore.sh

thekey="/pizza/flavors/$1";
thetopping=`aws ssm get-parameters --names $thekey --with-decryption --query "Parameters[*].{Value:Value}" --output text --region us-west-2`
./hellopizza.sh "$thetopping"
Enter fullscreen mode Exit fullscreen mode

Tests

Success

To run my code, I typed:

./paramstore.sh first
Enter fullscreen mode Exit fullscreen mode

And we have a winner! The output was:

I like green pepper pizza
Enter fullscreen mode Exit fullscreen mode

Errors

Not yet having a key named second, I tried this to make sure it would fail:

./paramstore.sh second
Enter fullscreen mode Exit fullscreen mode

Sure enough, it did (note the double gap between like and pizza):

I like  pizza
Enter fullscreen mode Exit fullscreen mode

If I ran ./paramstore.sh first without proper authentication, I would get one of the following two outputs:

An error occurred (ExpiredTokenException) when calling the GetParameters operation: The security token included in the request is expired
I like  pizza
Enter fullscreen mode Exit fullscreen mode
An error occurred (AccessDeniedException) when calling the GetParameters operation: User: MY_AWS_USERNAME is not authorized to perform: ssm:GetParameters on resource: MY_AWS_RESOURCE:parameter/C
I like  pizza
Enter fullscreen mode Exit fullscreen mode

Further thoughts

That was easy. Too easy. The "dozens of passwords" like green pepper would only be needed by code running on the server during occasional sysadmin maintenance tasks.

I feel like the running machine shouldn't normally have ssm:GetParameters access, and that a sysadmin should have to go into AWS and flip it on before running these scripts, then flip it off as they finish. What do you think?

Future project

A future project might be to repeat this with AWS Secrets Manager.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .