{"id":22166720,"url":"https://github.com/alextanhongpin/aws-parameter-store","last_synced_at":"2025-03-24T16:32:47.252Z","repository":{"id":79114658,"uuid":"124772767","full_name":"alextanhongpin/aws-parameter-store","owner":"alextanhongpin","description":"Guildeline for storing application configuration using AWS Parameter Store","archived":false,"fork":false,"pushed_at":"2019-01-23T02:48:43.000Z","size":553,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-29T21:54:25.695Z","etag":null,"topics":["aws"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alextanhongpin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-11T15:53:02.000Z","updated_at":"2019-09-20T21:44:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"ab06be8f-c20e-4051-a5d0-4ab4581cfe03","html_url":"https://github.com/alextanhongpin/aws-parameter-store","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alextanhongpin%2Faws-parameter-store","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alextanhongpin%2Faws-parameter-store/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alextanhongpin%2Faws-parameter-store/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alextanhongpin%2Faws-parameter-store/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alextanhongpin","download_url":"https://codeload.github.com/alextanhongpin/aws-parameter-store/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245308995,"owners_count":20594345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws"],"created_at":"2024-12-02T05:20:57.117Z","updated_at":"2025-03-24T16:32:47.240Z","avatar_url":"https://github.com/alextanhongpin.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Parameter Store\n\nUse Parameter store to centralize all your configurations and sensitive keys. With Parameter Store you can:\n\n- secure your application\n- handle all your applications configuration in a centralized place\n- dynamic config, any changes can be reflected real-time in your application\n- no more sending sensitive credentials through Slack/Email (very bad practice)\n- easy integration as AWS SDK is available for multiple clients\n\n## Comparison with AWS Secrets Manager\n\n- it's free!\n- cannot rotate credentials (but can still be done at code level manually)\n\n## IAM Policy\n\nCreate two inline policy, `kms-read-access`:\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"VisualEditor0\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"kms:Decrypt\",\n                \"kms:DescribeKey\"\n            ],\n            \"Resource\": \"arn:aws:kms:ap-southeast-1:\u003cYOUR_ACCOUNT_ID\u003e:key/*\"\n        }\n    ]\n}\n```\n\nand `ssm-read-access`. It is a *good practice* to limit the resource to the key-value that you want to access:\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"VisualEditor0\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ssm:Get*\",\n                \"ssm:Put*\"\n            ],\n            \"Resource\": [\n              \"arn:aws:ssm:ap-southeast-1:\u003cYOUR_ACCOUNT_ID\u003e:parameter/username\",\n              \"arn:aws:ssm:ap-southeast-1:\u003cYOUR_ACCOUNT_ID\u003e:parameter/password\"\n            ]\n        },\n        {\n            \"Sid\": \"VisualEditor1\",\n            \"Effect\": \"Allow\",\n            \"Action\": \"ssm:DescribeParameters\",\n            \"Resource\": \"*\"\n        }\n    ]\n}\n```\n\nOutput:\n\n![iam-role](./iam-role.png)\n\n## Creating String Value\n\nCreating an insecure name, e.g. `db_username`:\n\n```bash\n$ aws ssm put-parameter --name username --value admin --description \"The username of your application\" --type String\n```\n\nCreating a secure name, e.g. `db_password`:\n\n```bash\n$ aws ssm put-parameter --name password --value admin --description \"The password of your application\" --type SecureString --key-id alias/aws/ssm\n```\n\nOutput:\n\n![parameter-store](./parameter-store.png)\n\n## Getting Encrypted Values\n\n```bash\n$ aws ssm get-parameters --names username password\n```\n\nOutput:\n\n```json\n{\n    \"InvalidParameters\": [],\n    \"Parameters\": [\n        {\n            \"Type\": \"SecureString\",\n            \"Name\": \"password\",\n            \"Value\": \"AQICAHiZLv5ybto0IW1pztY7jamSw4vIhzu4alJDALZjLZdmLgF7h61JVVpWsbFGEws7CPF3AAAAYzBhBgkqhkiG9w0BBwagVDBSAgEAME0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWLItsYr0TChRE/8TAgEQgCCA7RMcwta3ELvl1Y+qf3cHkffW383491WZQT8jrRLM+Q==\"\n        },\n        {\n            \"Type\": \"String\",\n            \"Name\": \"username\",\n            \"Value\": \"admin\"\n        }\n    ]\n}\n```\n\n## Getting Decrypted Values\n\n```bash\n$ aws ssm get-parameters --with-decryption --names username password\n```\n\nOutput:\n\n```json\n{\n    \"InvalidParameters\": [],\n    \"Parameters\": [\n        {\n            \"Type\": \"SecureString\",\n            \"Name\": \"password\",\n            \"Value\": \"admin\"\n        },\n        {\n            \"Type\": \"String\",\n            \"Name\": \"username\",\n            \"Value\": \"admin\"\n        }\n    ]\n}\n```\n\n\n## Node.js Sample\n\nNote that instead of passing the configs at the UI Console, we are now pulling them through the SDK during runtime. This is definitely more secure, but if you are running them locally in development, consider caching them in a file or just use local `.env` files for faster development time. \n\nAnother alternative is to store the whole config in a S3 Bucket and set the IAM roles to be accessible only to the application or user.\n\n```js\nconst AWS = require('aws-sdk')\nasync function main() {\n  const ssm = new AWS.SSM()\n  const params = {\n    Names: ['rds.db.staging'],\n    WithDecryption: true\n  }\n  ssm.getParameters(params, (err, data) =\u003e {\n    if (err) {\n      console.log(err, err.stack)\n      return\n    }\n    const config = data.Parameters.map((param) =\u003e {\n      return {\n        key: param.Name,\n        value: param.Value\n      }\n    }).reduce((cfg, item) =\u003e {\n      cfg[item.key] = item.value\n        return cfg\n    }, {})\n    console.log(config)\n  })\n}\n\n\n// { Parameters:\n//    [ { Name: 'env_name',\n//        Type: 'SecureString',\n//        Value: 'hello world',\n//        Version: 1,\n//        LastModifiedDate: 2019-01-21T09:28:49.585Z,\n//        ARN:\n//         'arn:aws:ssm:ap-southeast-1:xxx:parameter/xxx' } ],\n//   InvalidParameters: [] }\nmain().catch(console.error)\n```\n\n## Label for versioning/rotating keys\n\nhttps://aws.amazon.com/blogs/mt/use-parameter-labels-for-easy-configuration-update-across-environments/\nhttps://hackernoon.com/a-few-tips-for-storing-secrets-using-aws-parameter-store-f03557c5cf1b\n\n## Naming convention\n\nSubject to change:\n\n```\n/$environment_name/databases/$database_name/{host,port,pass,user} \n                  /databags/$service_name/{all,my,server,creds}\n                  /other_sensitive_info/{foo,bar,baz}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falextanhongpin%2Faws-parameter-store","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falextanhongpin%2Faws-parameter-store","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falextanhongpin%2Faws-parameter-store/lists"}