...
The parameters can be accessed using AWS CLI or one of the language specific AWS client libraries.
...
Get encrypted parameter
...
/NIIS/Test
...
| Code Block |
|---|
# Get the whole parameter object
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json
{
"Parameter": {
"Name": "/NIIS/Test",
"Type": "SecureString",
"Value": "MySecureString",
"Version": 1,
"Selector": "",
"LastModifiedDate": 1562562294.084,
"ARN": "arn:aws:ssm:region:account-id:parameter/NIIS/Test"
}
}
# Get parameter value only
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json | jq -r '.Parameter.Value'
MySecureString |
Parameters can be stored plain text or encrypted. When encryption is used, it's possible to
...
use the default KMS key for the account or specify a customer-managed CMK for this account. Either way, the user or service accessing the parameter must have sufficient permissions to access the encryption key and the parameter itself.
| Note |
|---|
Currenlty AWS CloudFormation doesn't support the SecureString parameter type. This means that encrypted parameters must be created manually or using an additional script - they cannot be created using CloudFormation. Read more. |
The following IAM policy gives access to a specified parameter encrypted with the default KMS key for the account.
IAM Policy Example
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ssm:GetParameter"
],
"Resource":[
"arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"
]
},
{
"Effect":"Allow",
"Action":[
"kms:Decrypt"
],
"Resource":[
"arn:aws:kms:<region>:<account-id>:key/alias/aws/ssm"
]
}
]
} |
CloudFormation Example
| Code Block | ||||
|---|---|---|---|---|
| ||||
SSInstance:
Type: AWS::EC2::Instance
Properties:
.
.
IamInstanceProfile: !Ref XRdPlaygroundInstanceProfile
.
.
XRdPlaygroundInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: String
Path: /
Roles:
- !Ref XRdPlaygroundRole
XRdPlaygroundRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: PINCodePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ssm:GetParameter'
Resource:
- !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SSMPINCodeParameterName}'
- PolicyName: KMSKeyPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'kms:Decrypt'
Resource:
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/alias/aws/ssm' |
The above CloudFormation example uses inline policies, but customer managed policies could be used too.
Storing Security Server PIN Code in SSM
Security Server PIN code can be stored in SSM. In that case a custom bash script (/usr/share/xroad/autologin/custom-fetch-pin.sh) must be implemented according to the auto-login documentation. The script must fetch the PIN code from SSM and output the PIN code to stdout. AWS CLI and jq must be installed on the Security Server. Read more about installing the AWS CLI on Linux.
| Note | |
|---|---|
AWS CLI and jq must be installed on the Security Server host. How to install the AWS CLI on Linux: https://docs.aws.amazon.com/cli/latest/userguide/install-linux.html | |
| Code Block | |
| language | bash | title |
/usr/share/xroad/autologin/custom-fetch-pin.sh
| Code Block | ||
|---|---|---|
| ||
#!/bin/bash
PIN_CODE=$(~/.local/bin/aws ssm get-parameter --name "<parameter-name>" --with-decryption --output json --region <region> | jq -r '.Parameter.Value')
echo "${PIN_CODE}"
exit 0 |
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Page Properties | ||
|---|---|---|
| ||
|