DEV Community

Cover image for Securing Your Secret Using AWS Systems Manager (Parameter Store)
1

Securing Your Secret Using AWS Systems Manager (Parameter Store)

Hello, everyone! I hope you are doing fine. I'm going to share how to secure your secret using AWS Systems Manager (Parameter Store).

I break this post into two parts.

  1. Setup IAM User for retrieving secret from Parameter Store
  2. Retrieving code

Set up IAM User

We will set up IAM User. We use this user to get our secret from Parameter Store.

  1. Go to IAM Pages -> Access Management -> Users -> Add users. Please check the Access key - Programmatic access and fill the user name. You can use parameter-store-user as the name. After that, click Next.

    Name + Programatic

  2. In the step 2, click Attach existing policies directly and after that click Create Policy. We will use custom policy.

    Policy Create

    Note: If you want to learn more how to set up the policy, please navigate here

  3. You just need set up the policy like this image. Select the Service is System Manager, Access Level are Read -> GetParameter and GetParameters, and Resources is All Resources (usually, you will need to define specific parameters or use regex to give access to particular resources only).

    Policy

  4. Give the policy name ReadParameterStore.

    Name

  5. Select our previously created policy.

    Policy Set

  6. Save your credentials. We will use that later.

    Created

Adding Dummy Values in Parameter Store

Navigate to AWS Systems Manager > Parameter Store. After that create a parameter. On my side, I created /app/db with type SecureString and use any values.

Create Parameter

Set up Project

Time to code. We will start to use the small projects to get our secret using AWS SDK. In this case, I will use .NET and AWS SDK for .NET. Let's go!

  1. Prepare .gitignore. Command: dotnet new gitignore
  2. Prepare the solution file. Command: dotnet new sln
  3. Prepare the project using template. Command: dotnet new webapi -o ParameterStore
  4. Add the project to solution. Command: dotnet sln add ParameterStore
  5. Install the AWS SDK, especially for Systems Manager. Command: dotnet add ParameterStore package Amazon.Extensions.Configuration.SystemsManager --version 4.0.0.

If you want to visit my repository, please navigate to the link below.


OK, let's continue to code.

  1. Update the Program.cs file. You need to add these lines.

    var builder = WebApplication.CreateBuilder(args);
    
    // Add services to the container.
    
    // BEGIN: ADD THESE LINES
    builder.WebHost.ConfigureAppConfiguration(b => {
        b.AddSystemsManager("/app");
    });
    
    builder.Services.AddAWSService<IAmazonSimpleSystemsManagement>();
    // END: ADD THESE LINES
    
    builder.Services.AddControllers();
    
  2. Add ParamStoreController.cs in Controllers directory.

    using Amazon.SimpleSystemsManagement;
    using Amazon.SimpleSystemsManagement.Model;
    using Microsoft.AspNetCore.Mvc;
    
    namespace ParameterStore.Controllers;
    
    [ApiController]
    [Route("[controller]")]
    public class ParamStoreController : ControllerBase
    {
        private readonly ILogger<ParamStoreController> _logger;
        private readonly IAmazonSimpleSystemsManagement _ssmClient;
    
        public ParamStoreController(IAmazonSimpleSystemsManagement ssmClient, ILogger<ParamStoreController> logger)
        {
            _ssmClient = ssmClient;
            _logger = logger;
        }
    
        [HttpGet(Name = "GetParameterStore")]
        public async Task<string> GetAsync([FromQuery] string parameterName)
        {
            var request = new GetParameterRequest() {
                Name = parameterName
            };
            var param = await _ssmClient.GetParameterAsync(request);
            return param.Parameter.Value;
        }
    }
    
  3. It's easy, right? You can use IAmazonSimpleSystemsManagement to access the parameter. Please make sure you've set up the credentials. On my side, I use this appsettings.json.

    "AWS": {
        "Profile": "paramstore",
        "Region": "ap-southeast-1"
    }
    
  4. Run our project. Command: dotnet run --project ParameterStore

    Run project

  5. Testing our project. You can use Postman or curl or other tools. You will get the encrypted data.

    Secrets get

  6. If you want to take the decrypted value, you will need update the request like this.

    var request = new GetParameterRequest() {
        Name = parameterName,
        WithDecryption = true,
    };
    
  7. Please check the different.

    decrypted

Thank you

Thank you for reading. I hope it will be useful. If you have any feedback, please add it in the comment.

Yes GIF

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post