AWS systems manager parameter store is a service to store data in the form of key value pairs; this data can be referenced in your scripts. The values are stored in the form of strings. AWS contains sensitive information such as passwords that is why it provides encryption methods such as KMS keys to keep the user’s data safe and secure.
These parameter values can be referenced directly in the user’s scripts and some other AWS services, reducing the human interference in the application’s workflow. Moreover, the parameter store is a fully serverless service. This article provides an overview about the AWS parameter store.
Benefits of Using AWS Parameter Store
Following is the list of benefits in using AWS parameter store.
- Secure, highly available, and scalable secret management service.
- Separates your data from your code to improve security.
- Provides control on a granular level.
- Stores configuration data and secrets in hierarchies and track versions.
Parameter Store Use Cases
Let’s see some use cases of AWS parameter store in the cloud infrastructure.
Usage with CloudFormation
AWS cloudformation is a service used to deploy infrastructure on AWS using some scripts. The resources and configurations are defined in the form of stacks. We can reference parameter values from the parameter store to provision the stacks. This way, whenever there is a need to update a cloud formation stack, we can simply change the parameter value.
Usage with Lambda Functions
We often have to define environment variables for our lambda functions, but there are some limitations and disadvantages of using them which can be covered up with storing the variables as values in the parameter store.
Usage with AWS CodeBuild
CodeBuild is an important part of the continuous integration and continuous deployment (CICD) model. The code building steps are defined inside a yaml file which may include secrets and sensitive information in which we can pass directly by referencing the parameters from the parameter store.
Creating Parameter Store Using AWS Console
In order to create a parameter store, log in first to the AWS management console and search for the Systems Manager service.
It will take you to the systems manager console. From the left side panel, click on the Parameter Store under the Application Management section.
From the parameter store console, click on the create parameter button to create a new parameter.
Provide the name of the parameter along with its description. The name of the parameter can be specified in the hierarchy to use it effectively. The parameter description is optional. For this demo, we are going to create a parameter that stores the AMI ID of the linux2 AMI in N. Virginia.
After specifying the name and description of the parameter, it will ask for the parameter tier. AWS Systems Manager Parameter Store provides two tiers for parameters:
- Standard
- Advanced
In standard tier, you can create up to 10,000 parameters with each parameter limit up to 4 KB in size. Parameter policies are not available for standard tier.
In advanced tier, however, you can create more than 10,000 parameters with each parameter limit up to 8 KB in size. Parameter policies are available for advanced tier but it demands a charge.
For this demo, we will use the standard tier of the parameter store.
Next, you have to define what you want to store as the parameter value. Here are following choices:
- String
- StringList
- SecureString
For storing a single parameter value which requires only one string, you need to choose the String type of the parameter store.
In order to store multiple strings in the parameter, you need to select the StringList type of the parameter. It can store multiple strings separated by commas.
For secrets, you can choose the SecureString type of the parameter. It encrypts the secrets using AWS KMS (Key Management Service) from your account or from another account.
For this demo, we will use the String type of the parameter.
In the next step, define the data type you want to store as the parameter value. We will use aws:ec2:image to store EC2 AMI.
Now we are going to enter the parameter value we want. In this case is an Image ID of EC2.
To keep track of your AWS resources, it is better to add tags to locate and monitor them easily and efficiently. Tags are in the form of key and value pairs. This is just an optional step; you can simply skip this if you want.
Finally, our configuration is complete for this parameter. Just click on create parameter at the bottom right corner and you are good to go.
So we have seen how to configure the parameters in the parameter store using the AWS management console. You can now reference this parameter value on the other AWS services that you want.
Creating Parameter Store Using AWS CLI
AWS allows the users to manage its resources using the Command Line Interface which can be configured on any environment such as windows, linux or mac. Let us see if we can create a parameter using the AWS CLI.
First, configure AWS command line interface credentials on your system. Visit the following article to configure the credentials.
https://linuxhint.com/configure-aws-cli-credentials/
To create a parameter using the CLI, simply use the following command:
--name "<Parameter Name>" \
--value "<parameter Value>" \
--type <Data Type> \
--data-type “<aws:ec2:image>”
Our parameter is now created. To view the list of available parameters using the CLI, you need to run the following command:
Now, the AWS command line interface has been configured.
Conclusion
AWS parameter store is very helpful and easy to manage service as it is highly scalable and efficient. It can also be expanded to multiple availability zones. AWS ensures its security so you can store your secret IDs and passwords in a reliable manner with version control ability. By using a parameter store, you can manage things like whether a particular user should be able to access certain credentials or not using the IAM policies attached with the parameters. You can also get notified if there are any changes in your secret parameters. These parameters are also accessible from many other AWS services and you can free yourself from managing your credentials and providing them individually to each service. Read more related articles at Linux Hint.