This article provides a detailed overview of the AWS Systems Manager Parameter Store, and also highlights its key features.
What is AWS Systems Manager Parameter Store?
- AWS came up with a service called Parameter Store to provide secure, hierarchical storage for data & secrets management.
- This service assists users in storing & maintain their data such as passwords, database strings, AMI-Ids, configuration codes, license keys, etc. The data can be stored as plain text or encrypted data.
- Parameter store can be integrated with any other service and users can easily refer to parameters in their scripts, automation workflows, configurations etc.
- AWS also provides version tracking & auditing. This greatly helps users to improve their security posture.
- In simple terms, a Parameter store is more like a key-value store, where the parameter name represents the name provided by the user and the value represents the secret/data that is associated with the parameter.
In this article, we will discuss the creation and usage of Parameter Store via console & AWS-CLI. For the article, we are referring to everything in the us-east-1 (NV) region.
Creating Parameter Via AWS Console
- Log-in to AWS Console. Navigate to Parameter Store under Systems Manager service here.
- Let’s create a new parameter. Provide a name to the parameter. AWS suggests using a path-based naming convention as it is easy to manage when there are parameters created in large numbers.
- Provide the description if possible. This acts as metadata that can help users to identify the nature of parameters.
- Currently, AWS offers two tiers for parameter stores.
- Standard Tier is the default tier and params can have a value with a max size of 4Kb.
- Advanced Tier comes with some cost and params can have a value with a max size of 4Kb. Also, parameter policies can be used with this tier(for ex: parameter expiration, change notifications, etc.)
- The TYPE defines the type of value that can be provided to the parameter. Currently, AWS offers three types of parameters for data values.
- String Type is the default and string parameters consist of any text block. (For Ex: clod123, img-src=1234.sas etc.)
- AWS also provides default support to store AMI Ids as well in the string type parameter.
- String-list types are just a bunch of comma-separated string parameters. (For Ex: Jan, Feb, March, etc.)
- SecureString Type is an interesting one. This parameter type is commonly used for sensitive data that needs to be stored & retrieved in a secure way. (For Ex: data such as passwords or license keys etc.)
- The data that is stored as the secure string is encrypted & decrypted using an AWS KMS key. By default, AWS uses its default KMS key. Users can also create a customer-managed key and use it with secure string type.
- Create the parameter. After creating the param, you can start using that in your SDKs, automation etc.
- You can also edit the parameter as you need. Click on edit in the top-right corner and after successful. This updates the version as well.
Creating Parameter Via AWS CLI
- Make sure to configure AWS-CLI before getting started.
- We can use the AWS put-parameter to create SSM parameters programmatically. The following snippet will create a simple string-based parameter.
aws ssm put-parameter \ --name "/cloudysave/sample_param_1" \ --value "Star Wars Episode VI" \ --type "String"
- Now we can update the parameter created above with –override.
aws ssm put-parameter \ --name "/cloudysave/sample_param_1" \ --value "Star Wars Episode VII" \ --type "String" \ --overwrite
- Lets you create a new secure string param using the following snippet.
aws ssm put-parameter \ --name "/cloudysave/sample_param_secure" \ --value "Jamesbond 007" \ --type "SecureString" \ --tags "Key=Watch,Value=Omega"
- We can use get-parameter/get-parameters to fetch the parameters using cli.
aws ssm get-parameters \ --names /cloudysave/sample_param_1
- If you try to fetch secure params, the outputs show this way. Make sure to use –with-decryption to decrypt the value.
aws ssm get-parameters \ --names /cloudysave/sample_param_secure \ --with-decryption
AWS Systems Manager Parameter store is really easy to start with and can integrate with many SDKs & other tools. Go through the following article to understand how to use boto3 to talk with parameter store. This article provided few key details on getting started with Parameter Store. Follow us for more articles on AWS services.
- CloudySave is an all-round one stop-shop for your organization & teams to reduce your AWS Cloud Costs by more than 55%.
- Cloudysave’s goal is to provide clear visibility about the spending and usage patterns to your Engineers and Ops teams.
- Have a quick look at CloudySave’s Cost Calculator to estimate real-time AWS costs