Hello, everyone! I hope you are doing fine. I'm going to share how to secure your secret using AWS Systems Manager (Parameter Store).
I break this post into two parts.
- Setup IAM User for retrieving secret from Parameter Store
- Retrieving code
Set up IAM User
We will set up IAM User. We use this user to get our secret from Parameter Store.
-
Go to IAM Pages -> Access Management -> Users -> Add users. Please check the Access key - Programmatic access and fill the user name. You can use
parameter-store-user
as the name. After that, clickNext
. -
In the step 2, click
Attach existing policies directly
and after that clickCreate Policy
. We will use custom policy.Note: If you want to learn more how to set up the policy, please navigate here
-
You just need set up the policy like this image. Select the Service is
System Manager
, Access Level areRead
->GetParameter
andGetParameters
, and Resources isAll Resources
(usually, you will need to define specific parameters or use regex to give access to particular resources only). -
Give the policy name
ReadParameterStore
. -
Select our previously created policy.
-
Save your credentials. We will use that later.
Adding Dummy Values in Parameter Store
Navigate to AWS Systems Manager > Parameter Store. After that create a parameter. On my side, I created /app/db
with type SecureString
and use any values.
Set up Project
Time to code. We will start to use the small projects to get our secret using AWS SDK. In this case, I will use .NET and AWS SDK for .NET. Let's go!
- Prepare
.gitignore
. Command:dotnet new gitignore
- Prepare the solution file. Command:
dotnet new sln
- Prepare the project using template. Command:
dotnet new webapi -o ParameterStore
- Add the project to solution. Command:
dotnet sln add ParameterStore
- Install the AWS SDK, especially for Systems Manager. Command:
dotnet add ParameterStore package Amazon.Extensions.Configuration.SystemsManager --version 4.0.0
.
If you want to visit my repository, please navigate to the link below.
bervProject / ParamStore
ParameterStore Demo
Parameter Store
Part of blogs: https://dev.to/aws-builders/securing-your-secret-using-aws-systems-manager-parameter-store-4h73
License
MIT
OK, let's continue to code.
-
Update the
Program.cs
file. You need to add these lines.
var builder = WebApplication.CreateBuilder(args); // Add services to the container. // BEGIN: ADD THESE LINES builder.WebHost.ConfigureAppConfiguration(b => { b.AddSystemsManager("/app"); }); builder.Services.AddAWSService<IAmazonSimpleSystemsManagement>(); // END: ADD THESE LINES builder.Services.AddControllers();
-
Add
ParamStoreController.cs
inControllers
directory.
using Amazon.SimpleSystemsManagement; using Amazon.SimpleSystemsManagement.Model; using Microsoft.AspNetCore.Mvc; namespace ParameterStore.Controllers; [ApiController] [Route("[controller]")] public class ParamStoreController : ControllerBase { private readonly ILogger<ParamStoreController> _logger; private readonly IAmazonSimpleSystemsManagement _ssmClient; public ParamStoreController(IAmazonSimpleSystemsManagement ssmClient, ILogger<ParamStoreController> logger) { _ssmClient = ssmClient; _logger = logger; } [HttpGet(Name = "GetParameterStore")] public async Task<string> GetAsync([FromQuery] string parameterName) { var request = new GetParameterRequest() { Name = parameterName }; var param = await _ssmClient.GetParameterAsync(request); return param.Parameter.Value; } }
-
It's easy, right? You can use
IAmazonSimpleSystemsManagement
to access the parameter. Please make sure you've set up the credentials. On my side, I use thisappsettings.json
.
"AWS": { "Profile": "paramstore", "Region": "ap-southeast-1" }
-
Run our project. Command:
dotnet run --project ParameterStore
-
Testing our project. You can use Postman or curl or other tools. You will get the encrypted data.
-
If you want to take the decrypted value, you will need update the request like this.
var request = new GetParameterRequest() { Name = parameterName, WithDecryption = true, };
-
Please check the different.
Thank you
Thank you for reading. I hope it will be useful. If you have any feedback, please add it in the comment.
Top comments (0)