search

wallix / awless

A Mighty CLI for AWS
http://awless.io/
Apache License 2.0
4.98k stars 263 forks source link

aws ssm parameters #148

Open brunetto opened 6 years ago

brunetto commented 6 years ago

Hi, is there a way I didn't find to interact with the SSM service to store and retrieve parameters?

Thanks

simcap commented 6 years ago

Hi @brunetto, there is no integration of SSM as for now, but it seems some good features could be done.

As always with awless we integrate AWS features & services in order to simplify and improve their usage. In your case, are you thinking of the Parameter Store feature of SSM?

If you have any detailed use case or idea of good usage you would like to see with awless, do let us know here.

brunetto commented 6 years ago

Ok, thank you @simcap. I'll read more carefully the AWS docs and think about it and then let you know.

Thank you, and thank you for the great job with awless.

taraspos commented 6 years ago

@brunetto I was thinking about support for SSM params too, we are using it as configuration storage. You can check this lambda func that we wrote: https://github.com/getsocial-rnd/git2params

brunetto commented 6 years ago

Thanks @Trane9991, very nice!! Maybe my considerations and answer are not the best because I'm still quite new to all the AWS "mess". 😆 However, I need to access the parameter store to retrieve some sensitive information (like passwords) to be used in ECS containers. The alternative are files or env variables that are not very safe as approach. Because my application is in Go, I managed to retrieve the parameter directly from the application in few lines. Now I'm trying to understand if it is ok or there is a better option.

The code is like:

package main

import (
    "log"

    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/ssm"
)

func main() {
    s := session.Must(session.NewSession(&aws.Config{}))
    svc := ssm.New(s)

    name := "PARAMETER_NAME"
    names := []*string{&name}
    withDecryption := true

    params := &ssm.GetParametersInput{
        Names: names,
        WithDecryption: &withDecryption,
    }
    resp, err := svc.GetParameters(params)
    if err != nil {
        log.Fatal(err)
    }
        p :=  *resp.Parameters[0].Value
    log.Println("Parameter is %s", p)
}
awilkins commented 6 years ago

+1 to this .

Looking to store a GPG passphrase in an SSM parameter. Terraform stores a plaintext copy of the values of SecureString in state, which kinda defeats the point of using them.

simcap commented 6 years ago

Unfortunately, we will not be able able to work on that in February. We will review this issue in March and see how best to implement and use it.

lanceofwhichwedream commented 5 years ago

Has any progress been able to be accomplished towards this effort?

Jeeppler commented 5 years ago

Working with the AWS SSM Parameter UI is not fun at all. The AWS CLI is not much better. Here is an example to get the metadata of a secret (not the secret value):

aws ssm describe-parameters --filters "Key=Name,Values=/mygroup/mysecret"
{
    "Parameters": [
        {
            "Name": "/mygroup/mysecret",
            "Type": "String",
            "LastModifiedDate": 1548900241.782,
            "LastModifiedUser": "arn:aws:iam::00000000:user/SomeUser",
            "Version": 2
        }
    ]
}

What I would like to be able to do something similar to:

awless list parameters
awless list parameters "/the/path/to/my/secrets"
awless show parameter "/the/path/to/my/secrets/database"

Parameters could be shortened to params and param.