How to get arn of parameter store?

Parameter Store is a service which helps you arrange your data in a systematic hierarchical format for better reference. Data can be of any type like Passwords, Keys, URLs or Strings. Data can be stored as encrypted or as plain text. Storage is done in Key-Value Format. Parameter store comes integrated with AWS KMS. It provides a key by default and gives you an option to change it, in this blog we will be using the default one.

Let’s compare its competitors, these include Hashicorp Vault and AWS Secrets Manager.

Vault stores secrets in Database/File-System but requires one to manage the root token and Unseal Keys. And it is not easy to use.

Next, is the AWS owned Secrets Manager, this service is not free and would require Lambda functions to be written for secret rotation. Which might become an overhead. Also, the hierarchy is taken as a String only, which can’t be iterated.

Some Key Features of Parameter Store include:

Note: Parameter Store is region specific service thus might not be available in all regions.

Initial Setup:

Parameter Store can be used both via GUI and terminal.

AWS console:

On CLI:

Use: Both on Console and CLI

a. Enter the name of the key that you wish to store. If it is hierarchical then apply “/” without quotes and in place of value enter Value.

CODE: https://gist.github.com/velotiotech/5036949f0f86a9c08f06af36a7df5aed.js

Then in name enter “ /This/is/Key” and in value write “Value”

b. Select the type of storage, if it can be stored as plain text then use String, if the value is in Array format then choose StringList and mention the complete array in value and if you want to secure it then use SecureString.

c. CLI:

CODE: https://gist.github.com/velotiotech/54bf3c2ff9aa6786f5c5a428fa901404.js

d. If you want to make it secure:

CODE: https://gist.github.com/velotiotech/586c962fa66fa84f63234fe7c88fc669.js

a. Once Stored, parameters get listed on the console.

b. To check any of them, just click on the key. If not secured, the value will be directly visible and if it is secured, then the value would be hidden and you will have to explicitly press “Show”.

AWS Parameter Overview

c. CLI:

CODE: https://gist.github.com/velotiotech/6d500460a662f58856f5bb94676ff208.js

d. For Secured String:

CODE: https://gist.github.com/velotiotech/7ed5b11311982f058229af2722b9e6ef.js

e. If you observe the above command you will realize that despite providing “/This” we did not receive the complete tree. In order to get that provide modify the command as follows:

CODE: https://gist.github.com/velotiotech/484657c54c0b1ebd371a5073275a7d1e.js

a. Once a value is saved it automatically gets versioned as 1, if you click on the parameter and EDIT it, then version gets incremented and the new value is stored as version 2. In this way, we achieve rotation of credentials as well.

b. Type of parameters cannot be changed, you will have to create a new one.

c. CLI:The command itself is clear, just observe the version:

CODE: https://gist.github.com/velotiotech/f798f2cdd633cddb5baaeeb99dbc6caf.js

a. Select the parameter or select all the required parameters and click delete

b. CLI:

CODE: https://gist.github.com/velotiotech/a45d1dd3452d4181ca50bda743aa50d2.js

As you can see commands are pretty simple and if you have observed, ARN information is also getting populated. Below we will discuss IAM role that we can configure, to help us with access control.

Remember that we are storing some very critical data in Param Store, therefore access to that data should also be well maintained. If by mistake a new developer comes in the team and is given full access over the parameters, chances are he might end up modifying or deleting production parameters. This is something we really don't want.

Generally, it is a good practice to have roles and policies predefined such that only the person responsible has access to required data. Control over the parameters can be done to a granular level. But for this blog, we will take a simple use case. That being said we can take reference from the policies mentioned below.

By using the resource we can specify the path for parameters, that can be accessed by a particular policy. For example, only System Admin should be able to fetch Production credentials, then in order to achieve this, we will be placing “parameter/production” on the policy, where production represents the top level hierarchy. Thus making anything stored under production become accessible, if we want to more fine tune it then we can do so by adding parameters after - parameter/production////

Below are some of the policies that can be applied to a group or user on a server level. Depending on the requirement, explicit deny can also be applied to Developers for Production.

For Production Servers:

SSMProdReadOnly:

CODE: https://gist.github.com/velotiotech/e823989d473c11d73e1128451342d055.js

SSMProdWriteOnly:

CODE: https://gist.github.com/velotiotech/37f8a469b335d51ceb4c493eafa94cc5.js

For Dev Servers:

SSMDevelopmentReadWrite

CODE: https://gist.github.com/velotiotech/6fb15d530148255a09aa2ae04caf7de1.js

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination.

--output (string)

The formatting style for command output.

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

About Us

Leadership

Careers

Newsroom

Success Stories

Investor Relations

Social Impact

SUSE Logo and Brand

Events & Webinars

Merchandise Store

• Go to the Lambda dashboard.
• Choose Author from scratch.
• Expand the Change default execution role.
• This will create the Lambda function.
• Scroll down, then click the Configuration tab.
• Click Add environment variable.
• In the Code tab, paste the script that will allow the Lambda function to retrieve the SSM Parameter values.

AWS Systems Manager is a product designed to help you manage large groups of servers deployed into the cloud. For instance, it provides a remote connection to systems, security and patch updates, remote command execution, and other administration tasks at scale.

It also provides a feature called the Parameter Store. The parameter store is a superb place to store centralized data like API keys, database strings, passwords, and other configuration data.

The Parameter Store is a great way to make your application less stateful and improve your ability to deploy across several environments. The parameter store has a few advantages over other methods of managing variables:

I choose parameters over environment variables because I can update the parameter in one location and the changes are instantly available to any code using the parameter.

Perhaps the most interesting thing about the Parameter Store is the hierarchy structure. Hierarchies are parameters that start with a slash. They are a great way to organize parameters in a manageable fashion. I often create parameters for dev, test, and prod.

This is a painless way to separate and manage parameters even when you have thousands of them.

A parameter is a piece of data stored within AWS Systems Manager Parameter Store. AWS provides no validation on any parameters (with one exception covered later).

There are three types of Parameter Store parameters (and a fourth kinda-weird bonus type).

Strings are exactly what you expect. Strings are any block of text such as Hello World, test, or wow this is a great blog post.

StringList is, again, rather intuitive. A StringList is a collection of strings separated by a comma. For example, Cat,Dog,Rabbit and Mercury,Mars,Melons are two examples of string lists.

SecureString is used for sensitive data like passwords and API Keys. Data stored in a SecureString parameter are encrypted using keys managed by the AWS Key Management Service. You should know that these parameters are free to use, but AWS will charge you for the Key Management Service as usual.

There is one strange “bonus” type you should know. When using a string attribute, you can use an additional parameter --data-type and then specify an Amazon machine image resource number.

The parameter store will validate that the AMI image is valid, then you’ll be able to use the AMI in other services by referencing the parameter.

There are two types of parameters: standard parameters and advanced parameters. Advanced parameters support parameter policies which can set parameter expiration, notify you if parameters expire, and let you know if a parameter hasn’t changed in a while.

You can upgrade parameters to advanced parameters, but you can never downgrade to a standard parameter. There’s really no reason to use an advanced parameter unless you run up against one of the limits below or you need the advanced policies they offer for notifications.

This option is a blend of the two standard options. When you select intelligent tiering, the parameter store will inspect each parameter to see if requires advanced features. If it does, the store automatically upgrades the parameter to the advanced tier.

Intelligent tiering helps control cost and prevent failures because you hit the limit on standard parameters or tried to store a key larger than 4KB. If you don’t mind spending the money on advanced parameters, it’s worth considering.

You’ll need to install and configure the AWS CLI if you haven’t already.

Creating parameters is very easy. There’s a built in command to create parameters.

To create a SecureString, add a --Key-Id and specify a KMS Key ARN.

Getting parameters is even more fun. To get a parameter by name, use get-parameters.

SecureString parameters require a --with-decryption flag.

You can get all the parameters in hierarchy

and use describe-parameters to query parameters by type.

Versioning is another great feature of the parameter store. If you overwrite a parameter that already exists, the parameter’s version will increment.

Lets inspect the parameter’s history.

Parameter polices allow you to set expirations for parameters, get notified when a parameter expires, and also get notified if a parameter hasn’t changed in a while. Don’t ask me why policies are only good for these three things, but that’s how it works. Maybe AWS will add more options.

You can set an expiration time with policies.

You can set up notifications if a parameter is expiring.

And finally, you can set up notifications if a parameter has not changed in a set time period.

Assigning a parameter policy with the AWS CLI is relatively straightforward.

If you want to use the Parameter Store with other services (you probably do), you’ll need to grant that service access via a service role.

I’ve included a role here which will give you access to the Parameter Store for whatever service assumes the role (Just don’t forget to attach this to your service role).

If you require more strict access control, you can limit access to read-only or only allow access to certain parameters.

Obviously, no service would be complete with a way to interact with it from code and the Parameter Store is no exception. The AWS SDK, in my case Boto3 since I use python, offers a straightforward way to interface with the Parameter Store.

For example, in the code below I access three different prefixes based on a single environment variable set on the host (you can do this with EC2 user data or a Dockerfile) and then my application knows which set of parameters to retrieve. I use it to a variety of things including API keys, log file locations, ports, debug status, and more.