Page Comparison

X-Road Autologin utility can be used to automatically enter the PIN code after xroad-signer has started. The utility can be used to automate entering the PIN code after rebooting the host server. This article explains how the PIN code can be securely stored in the AWS Systems Manager Parameter Store so that the Autologin utility is able to read it from there.

Info
More information about the Autologin utility can be found at: https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.

Info
More information about the AWS Systems Manager Parameter Store can be found at: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

Accessing the Parameters

The parameters can be accessed using AWS CLI or one of the language specific AWS client libraries.

Code Block

title	Get encrypted parameter "/NIIS/Test"

# Get the whole parameter object
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json

{
    "Parameter": {
        "Name": "/NIIS/Test",
        "Type": "SecureString",
        "Value": "MySecureString",
        "Version": 1,
        "Selector": "",
        "LastModifiedDate": 1562562294.084,
        "ARN": "arn:aws:ssm:region:account-id:parameter/NIIS/Test"
    }
}
# Get parameter value only
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json | jq -r '.Parameter.Value'

MySecureString

Parameters can be stored plain text or encrypted. When encryption is used, it's possible to use the default KMS key for the account or specify a customer-managed CMK for this account. Either way, the user or service accessing the parameter must have sufficient permissions to access the encryption key and the parameter itself.

Note
Currenlty AWS CloudFormation doesn't support the SecureString parameter type. This means that encrypted parameters must be created manually or using an additional script - they cannot be created using CloudFormation. Read more.

The following IAM policy gives access to a specified parameter encrypted with the default KMS key for the account.

Code Block

language	js
title	IAM Policy Example

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ssm:GetParameter"
         ],
         "Resource":[
            "arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "kms:Decrypt"
         ],
         "Resource":[
            "arn:aws:kms:<region>:<account-id>:key/alias/aws/ssm"
         ]
      }
   ]
}

Code Block

language	yml
title	CloudFormation Example

  SSInstance:
    Type: AWS::EC2::Instance
    Properties:
      .
      .
      IamInstanceProfile: !Ref XRdPlaygroundInstanceProfile
      .
      .
  XRdPlaygroundInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: String
      Path: /
      Roles:
        - !Ref XRdPlaygroundRole
  XRdPlaygroundRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: PINCodePolicy
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ssm:GetParameter'
                Resource:
                  - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SSMPINCodeParameterName}'
        - PolicyName: KMSKeyPolicy
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'kms:Decrypt'
                Resource:
                  - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/alias/aws/ssm'

The above CloudFormation example uses inline policies, but customer managed policies could be used too.

Storing Security Server PIN Code in SSM

Security Server PIN code can be stored in SSM. In that case a custom bash script (/usr/share/xroad/autologin/custom-fetch-pin.sh) must be implemented according to the auto-login documentation. The script must fetch the PIN code from SSM and output the PIN code to stdout. AWS CLI and jq must be installed on the Security Server. Read more about installing the AWS CLI on Linux.

Note

AWS CLI and jq must be installed on the Security Server host.

How to install the AWS CLI on Linux: https://docs.aws.amazon.com/cli/latest/userguide/install-linux.html

Code Block

language	bash
title	/usr/share/xroad/autologin/custom-fetch-pin.sh

#!/bin/bash
PIN_CODE=$(~/.local/bin/aws ssm get-parameter --name "<parameter-name>" --with-decryption --output json --region <region> | jq -r '.Parameter.Value')
echo "${PIN_CODE}"
exit 0

Versions Compared

Old Version 1

New Version 2

Key

Accessing the Parameters

Storing Security Server PIN Code in SSM

Related articles