Parameter Store
Part of blogs: https://dev.to/aws-builders/securing-your-secret-using-aws-systems-manager-parameter-store-4h73
License
MIT
Hello, everyone! I hope you are doing fine. I'm going to share how to secure your secret using AWS Systems Manager (Parameter Store).
I break this post into two parts.
We will set up IAM User. We use this user to get our secret from Parameter Store.
Go to IAM Pages -> Access Management -> Users -> Add users. Please check the Access key - Programmatic access and fill the user name. You can use parameter-store-user
as the name. After that, click Next
.
In the step 2, click Attach existing policies directly
and after that click Create Policy
. We will use custom policy.
Note: If you want to learn more how to set up the policy, please navigate here
You just need set up the policy like this image. Select the Service is System Manager
, Access Level are Read
-> GetParameter
and GetParameters
, and Resources is All Resources
(usually, you will need to define specific parameters or use regex to give access to particular resources only).
Give the policy name ReadParameterStore
.
Select our previously created policy.
Save your credentials. We will use that later.
Navigate to AWS Systems Manager > Parameter Store. After that create a parameter. On my side, I created /app/db
with type SecureString
and use any values.
Time to code. We will start to use the small projects to get our secret using AWS SDK. In this case, I will use .NET and AWS SDK for .NET. Let's go!
.gitignore
. Command: dotnet new gitignore
dotnet new sln
dotnet new webapi -o ParameterStore
dotnet sln add ParameterStore
dotnet add ParameterStore package Amazon.Extensions.Configuration.SystemsManager --version 4.0.0
.If you want to visit my repository, please navigate to the link below.
Part of blogs: https://dev.to/aws-builders/securing-your-secret-using-aws-systems-manager-parameter-store-4h73
MIT
OK, let's continue to code.
Update the Program.cs
file. You need to add these lines.
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
// BEGIN: ADD THESE LINES
builder.WebHost.ConfigureAppConfiguration(b => {
b.AddSystemsManager("/app");
});
builder.Services.AddAWSService<IAmazonSimpleSystemsManagement>();
// END: ADD THESE LINES
builder.Services.AddControllers();
Add ParamStoreController.cs
in Controllers
directory.
using Amazon.SimpleSystemsManagement;
using Amazon.SimpleSystemsManagement.Model;
using Microsoft.AspNetCore.Mvc;
namespace ParameterStore.Controllers;
[ApiController]
[Route("[controller]")]
public class ParamStoreController : ControllerBase
{
private readonly ILogger<ParamStoreController> _logger;
private readonly IAmazonSimpleSystemsManagement _ssmClient;
public ParamStoreController(IAmazonSimpleSystemsManagement ssmClient, ILogger<ParamStoreController> logger)
{
_ssmClient = ssmClient;
_logger = logger;
}
[HttpGet(Name = "GetParameterStore")]
public async Task<string> GetAsync([FromQuery] string parameterName)
{
var request = new GetParameterRequest() {
Name = parameterName
};
var param = await _ssmClient.GetParameterAsync(request);
return param.Parameter.Value;
}
}
It's easy, right? You can use IAmazonSimpleSystemsManagement
to access the parameter. Please make sure you've set up the credentials. On my side, I use this appsettings.json
.
"AWS": {
"Profile": "paramstore",
"Region": "ap-southeast-1"
}
Run our project. Command: dotnet run --project ParameterStore
Testing our project. You can use Postman or curl or other tools. You will get the encrypted data.
If you want to take the decrypted value, you will need update the request like this.
var request = new GetParameterRequest() {
Name = parameterName,
WithDecryption = true,
};
Please check the different.
Thank you for reading. I hope it will be useful. If you have any feedback, please add it in the comment.