I love things to be organized and easily managed. Secret data in code is no exception. Previously I wrote a guide how to use AWS Secrets manager. And now, I want you to look at one more solution - AWS Systems Manager Parameter Store.
It provides a secure and hierarchical storage and management system for secret data like passwords, secret parameters, licenses, etc. You can avoid routine with handy-managed secret files, which you should share with every team member and add to every Jenkins Job. Just add them to centralized storage and set up retrieving via AWS API.
The great benefit of Parameters Store is that you can save any piece of data instead of AWS Secrets Manager, where you can choose only a particular format. Let's configure some secrets and see how it works in practice.
Imagine that we want to store licence.xml for some library.
<LICENSEFILE>
<FEATURE NAME="MyFeatureName">
<SETTING MAJOR_VERSION="1"/>
<SETTING MINOR_VERSION="0"/>
<SETTING END="2018-01-01"/>
<CLIENT_HOSTID>
<SETTING IPADDRESS="123.123.123.123"/>
<SETTING USERNAME="john"/>
</CLIENT_HOSTID>
</FEATURE>
</LICENSEFILE>
Find the Parameter Store and open the main page.
Follow the "Create parameter" button and go to the configuration page.
Type a secret name and choose type "SecureString."
Put secret data to the value field and follow "Create parameter."
That's all, secret created!
To make it accessible for target users need to grant permissions with the policy that allows reading params:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
And now, let's get it from code. Add SSM dependency to your project, create a rest client, perform a get request with decryption, and use the received secret.
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-ssm</artifactId>
<version>1.12.186</version>
</dependency>
AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient
.builder()
.withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials(accessKey, secretKey)))
.build();
var getParameterRequest = new GetParameterRequest()
.withName("licence.xml")
.withWithDecryption(true);
String license = client.getParameter(getParameterRequest).getParameter().getValue();
LicenseReader.read(license);
This way, you can store and retrieve any data that can be deserialized from string to any object you might be interested in.
Conclusion
Parameters Store is a secure and scalable secrets management service with no servers to manage. In the case of different types of secret data, it looks like a universal solution for all of them. That is a great way to manage stricted things in your project.