DEV Community

diogoaurelio
diogoaurelio

Posted on

5 2

Decrypting correctly parameters from AWS SSM

Today is yet short one, but ideally will already save a whole lot of headaches for some people.

Scenario: You have stored the contents of a string using AWS SSM parameter store (side note: if you are not using it yet, you should definitely have a look), but when retrieving it  decrypted via CLI, you notice that the string has new lines ('\n') substituted by spaces (' ').

In my case, I was storing a private SSH key encrypted to integrate with some Ansible scripts triggered via AWS CodePipeline + CodeBuild. CodeBuild makes it realy easy to access secrets stored in SSM store, however it was retrieving my key incorrectly, which in term domino-crashed my ansible scripts.

Here you can also confirm more people are facing this issue. After following the suggestion of using AWS SDK - in my case with python boto3 - it finally worked. So here is a gist to overwrite an AWS SSM parameter, and then retrieving it back:

my_string = """
your string \n seperated \n by \n new \n lines.
"""
account_id = '12345678910'
region = 'eu-west-1'
parameter_name = 'some-secret-name'
key_id = 'your-key-id'
kms_key_id = 'arn:aws:kms:{region}:{account_id}:key/{key_id}'.format(region=region, account_id=account_id, key_id=key_id)
ssm = boto3.client('ssm')
response = ssm.put_parameter(
Name=parameter_name,
Description='My encrypted secret blob',
Value=my_string,
Type='SecureString',
KeyId=kms_key_id,
Overwrite=True,
)
response = ssm.get_parameter(
Name=parameter_name,
WithDecryption=True
)
print(response.get('Parameter', {}).get('Value'))

Hope this helps!

Retry later

Top comments (0)

Retry later
Retry later