How to Store the PIN Code in the AWS Systems Manager Parameter Store?

Owned by Petteri Kivimäki
Nov 11, 2019
5 min read

X-Road Autologin utility can be used to automatically enter the PIN code after xroad-signer has started. The utility can be used to automate entering the PIN code after rebooting the host server. This article explains how the PIN code can be securely stored in the AWS Systems Manager Parameter Store so that the Autologin utility is able to read it from there.

More information about the Autologin utility can be found at: https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.

More information about the AWS Systems Manager Parameter Store can be found at: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

Accessing the Parameters

The parameters can be accessed using AWS CLI or one of the language specific AWS client libraries.

Get encrypted parameter "/NIIS/Test"
# Get the whole parameter object
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json

{
    "Parameter": {
        "Name": "/NIIS/Test",
        "Type": "SecureString",
        "Value": "MySecureString",
        "Version": 1,
        "Selector": "",
        "LastModifiedDate": 1562562294.084,
        "ARN": "arn:aws:ssm:region:account-id:parameter/NIIS/Test"
    }
}
# Get parameter value only
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json | jq -r '.Parameter.Value'

MySecureString

Parameters can be stored plain text or encrypted. When encryption is used, it's possible to use the default KMS key for the account or specify a customer-managed CMK for this account. Either way, the user or service accessing the parameter must have sufficient permissions to access the encryption key and the parameter itself.

Currenlty AWS CloudFormation doesn't support the SecureString parameter type. This means that encrypted parameters must be created manually or using an additional script - they cannot be created using CloudFormation. Read more.

The following IAM policy gives access to a specified parameter encrypted with the default KMS key for the account.

IAM Policy Example
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ssm:GetParameter"
         ],
         "Resource":[
            "arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "kms:Decrypt"
         ],
         "Resource":[
            "arn:aws:kms:<region>:<account-id>:key/alias/aws/ssm"
         ]
      }
   ]
}
CloudFormation Example
  SSInstance:
    Type: AWS::EC2::Instance
    Properties:
      .
      .
      IamInstanceProfile: !Ref XRdPlaygroundInstanceProfile
      .
      .
  XRdPlaygroundInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: String
      Path: /
      Roles:
        - !Ref XRdPlaygroundRole
  XRdPlaygroundRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: PINCodePolicy
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ssm:GetParameter'
                Resource:
                  - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SSMPINCodeParameterName}'
        - PolicyName: KMSKeyPolicy
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'kms:Decrypt'
                Resource:
                  - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/alias/aws/ssm'

The above CloudFormation example uses inline policies, but customer managed policies could be used too.

Storing Security Server PIN Code in SSM

Security Server PIN code can be stored in SSM. In that case a custom bash script (/usr/share/xroad/autologin/custom-fetch-pin.sh) must be implemented according to the auto-login documentation. The script must fetch the PIN code from SSM and output the PIN code to stdout. AWS CLI and jq must be installed on the Security Server. Read more about installing the AWS CLI on Linux.

AWS CLI and jq must be installed on the Security Server host.

How to install the AWS CLI on Linux: https://docs.aws.amazon.com/cli/latest/userguide/install-linux.html

/usr/share/xroad/autologin/custom-fetch-pin.sh
#!/bin/bash
PIN_CODE=$(~/.local/bin/aws ssm get-parameter --name "<parameter-name>" --with-decryption --output json --region <region> | jq -r '.Parameter.Value')
echo "${PIN_CODE}"
exit 0