Skip to content
This repository has been archived by the owner on Dec 20, 2022. It is now read-only.

SSM Parameters Usage

Jump to bottom
Devin McCabe edited this page Oct 8, 2019 · 4 revisions

Amazon Simple Systems Manager (SSM)

AWS SSM Param Store is useful as a secrets store, especially since ECS provides support for using SSM Param Store parameters as secrets in ECS container definitions.

You can store sensitive configuration variables as AWS SSM Param Store parameters. Additional permissions, such as allowing access to SSM parameters, may be necessary depending on the application

DOCUMENTATION: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

Creating SSM Parameters

Add SSM Parameter under "Systems Manager" -> "Parameters":
https://console.aws.amazon.com/systems-manager/parameters?region=us-east-1

Further instructions on how to fill out the information is in the documentation. Parameters that need to be secret should be of type SecureString, while non-sensitive parameters can be String.

Standard naming convention

When creating the SSM parameter, it's best if the entire team adheres to the same naming conventions/standards.

Please name your parameters as follows: /<project>/<environment>/<descriptive_name_for_the_parameter>.

Good examples:

  • /link/prod/crawl_db_connection_string
  • /link/prod/LINK_APP_DB_CONN
  • /airflow/dev/AIRFLOW__CORE__FERNET_KEY

Bad examples:

  • /link/prod/DB_CONNECTION <- which database?

Parameters can be further organized into a hierarchy, e.g.:

  • /link/prod/web_api/REDIS_URL
  • /link/prod/front_end/REDIS_URL

AWS CLI

aws ssm put-parameter \
  --type "SecureString" \
  --name "/name/of/parameter" \
  --value "secret" \
  --key-id "alias/aws/ssm" \
  --region us-east-1 \
  --overwrite

If the value is a URL, the AWS CLI will attempt to fetch the URL and use its contents as the value. To disable this behavior, add cli_follow_urlparam = false to your ~/.aws/config file.

Accessing SSM Parameters

AWS CLI

AWS CLI Documentation for accessing SSM parameters

Example:

aws ssm get-parameters [--region us-east-1] --name /link/prod/crawl_db_connection_string

Python

Python example:

import boto3
from urlparse import urlparse

ssm_session = boto3.Session(profile_name='vpal')
ssm = ssm_session.client('ssm', region_name='us-east-1')

v = ssm.get_parameter(Name='/link/prod/crawl_db_connection_string')['Parameter']['Value']

Documentation for other languages:

  • Javascript: getParameter operation
  • R: Seems to have information on Page 188 - search for "Amazon Simple Systems Manager (SSM)"

The ssm-env repo

This is helpful for injecting SSM parameters into the environment (via .env file) or in Docker.

The repo: https://github.com/remind101/ssm-env

Dockerfile should clone the ssm-env repo, and make this the entrypoint.

RUN curl -L https://github.com/remind101/ssm-env/releases/download/v0.0.3/ssm-env > /usr/local/bin/ssm-env && \
      cd /usr/local/bin && \
      echo da4bac1c1937da4689e49b01f1c85e28 ssm-env | md5sum -c && \
      chmod +x ssm-env
. 
. 
ENTRYPOINT ["/usr/local/bin/ssm-env"]

This will allow us to access the SSM paramaters via ssm:///PARAMETER in the docker-compose to inject it into our environment. A docker-compose.yml example:

environment:
    - LINK_APP_DB_CONN=ssm:///link/prod/LINK_APP_DB_CONN

And we can similarly access the parameters in a .env file

LINK_APP_DB_CONN=ssm:///link/prod/LINK_APP_DB_CONN
Clone this wiki locally