How to Store the PIN Code in the AWS Systems Manager Parameter Store?

X-Road Autologin utility can be used to automatically enter the PIN code after xroad-signer has started. The utility can be used to automate entering the PIN code after rebooting the host server. This article explains how the PIN code can be securely stored in the AWS Systems Manager Parameter Store so that the Autologin utility is able to read it from there.

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.

More information about the AWS Systems Manager Parameter Store can be found at: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

Accessing the Parameters

The parameters can be accessed using AWS CLI or one of the language specific AWS client libraries.

Get encrypted parameter /NIIS/Test
# Get the whole parameter object $ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json { "Parameter": { "Name": "/NIIS/Test", "Type": "SecureString", "Value": "MySecureString", "Version": 1, "Selector": "", "LastModifiedDate": 1562562294.084, "ARN": "arn:aws:ssm:region:account-id:parameter/NIIS/Test" } } # Get parameter value only $ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json | jq -r '.Parameter.Value' MySecureString

Parameters can be stored plain text or encrypted. When encryption is used, it's possible to use the default KMS key for the account or specify a customer-managed CMK for this account. Either way, the user or service accessing the parameter must have sufficient permissions to access the encryption key and the parameter itself.

Currenlty AWS CloudFormation doesn't support the SecureString parameter type. This means that encrypted parameters must be created manually or using an additional script - they cannot be created using CloudFormation. Read more.

The following IAM policy gives access to a specified parameter encrypted with the default KMS key for the account.

IAM Policy Example
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetParameter" ], "Resource":[ "arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>" ] }, { "Effect":"Allow", "Action":[ "kms:Decrypt" ], "Resource":[ "arn:aws:kms:<region>:<account-id>:key/alias/aws/ssm" ] } ] }
CloudFormation Example
SSInstance: Type: AWS::EC2::Instance Properties: . . IamInstanceProfile: !Ref XRdPlaygroundInstanceProfile . . XRdPlaygroundInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: String Path: / Roles: - !Ref XRdPlaygroundRole XRdPlaygroundRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: PINCodePolicy PolicyDocument: Statement: - Effect: Allow Action: - 'ssm:GetParameter' Resource: - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SSMPINCodeParameterName}' - PolicyName: KMSKeyPolicy PolicyDocument: Statement: - Effect: Allow Action: - 'kms:Decrypt' Resource: - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/alias/aws/ssm'

The above CloudFormation example uses inline policies, but customer managed policies could be used too.

Storing Security Server PIN Code in SSM

Security Server PIN code can be stored in SSM. In that case a custom bash script (/usr/share/xroad/autologin/custom-fetch-pin.sh) must be implemented according to the auto-login documentation. The script must fetch the PIN code from SSM and output the PIN code to stdout. AWS CLI and jq must be installed on the Security Server. Read more about installing the AWS CLI on Linux.

/usr/share/xroad/autologin/custom-fetch-pin.sh

Related articles

 

 

Â