When AWS announced EC2 System Manager (SSM) back in mid-2017, it included this innocuous feature called Parameter Store. I paid very little attention to it since most of our company was working away on Lambda functions – who had time to worry about simple things like instances when serverless was the cat’s meow. Little did I know how useful it really could be. Its use case is simple: whenever the need arises for sharing secrets or configuration strings across multiple services and code, Parameter Store should be considered. And yes, the recently released AWS Secret Manager is an option, but that is another blog for another day.
For those who aren’t aware SSM’s Parameter Store is a way to organize configuration strings and secret data (like passwords or license keys) in an easy, central, and more secure way. Initially meant to help with configuration of EC2 instances, but its hooks into services like Lambda and CloudFormation, to name a few, make it super handy.
I stumbled upon a perfect example of Parameter Store’s utility when getting ready for a deployment recently. We developed a bunch of CloudFormations (CFN) and like any good CFN; you write it, execute it, and then ignore if for months. Until it comes time to use it again and as sure as the clock changes time, so do ami-ids change which instantly breaks your CFN. Now we were faced with either manually updating the mapping portion for each of our files or find another way. So as the intrepid Cloud Experts that we are, we decided to look at how Lambda could automate this – which we heard a while back was a valid option. But just before we were about to configure Lambda, we noticed an article mentioned that SSM and CFN were integrated and could be used to search for ami-ids. Five minutes later, all of our CFNs are now updated and grabbing the latest and greatest ami-id no matter the region. This was awesome.
CFN and SSM integration was wonderfully documented by Martin Yip, but I wanted to highlight the CFN piece just because it was buried at the bottom of the article and needed one slight update to grab the ami-id directly.
# Query global Systems Manager (SM) Parameters to pull the latest Amazon Linux 2 minimal ami-id Parameters : AmiId : Type : 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: ‘/aws/service/ami-amazon-linux-latest/amzn2-ami-minimal-hvm-x86_64-ebs’ Resources : Instance : Type : 'AWS::EC2::Instance' Properties : ImageId : !Ref AmiId
Looking at the CFN snippet above we will see a parameter type AWS::SSM::Parameter::Value with an EC2 ID type passed to it in <AWS-Specific Parameter Types> format. This nugget of gold will query SSM public global Parameter Store looking for the latest ami-id for Amazon 2 Linux minimal. There are a slew of parameter paths you can use. If you’re curious, you can search for some of the parameters available via a CLI call (below) which will result in a list of parameters and their associated ami-ids.
aws ssm get-parameters-by-path --path "/aws/service/ami-amazon-linux-latest" --region us-east-1
But back to talking about Cloud Formation and SSM, you will see a call made to SSM for a parameter associated with an amazon2 Linux minimal instance. Then that ami-id is referenced as part of the creation of an EC2 instance. So simple, so nice.
One aside, I love that Amazon took the concept of Parameter Store and decided it would be awesome if they offered AWS global parameters for a number of useful knick-knacks that people might need. A super simple idea but what a demonstrable quality of life improvement. Thanks for being awesome AWS!
I would be remiss if I didn’t discuss another, really, arguably more important, use of Parameter Store – its capability to store and decrypt values for your apps. It has been a prolific anti-pattern to hard code secrets in our code, but with very few options for actually preventing it. Parameters Store is very much like a caped crusader (it’s the hero we need, but not the one we deserve), swooping in to help. Using it, one could programmatically call a secret like your database’s password. That secret is automatically decrypted and made available to your code. Hardcoded passwords are easily a thing of the past. Here is an example code in action.
import boto3 ssm = boto3.client('ssm') parameter = ssm.get_parameter(Name='/Prod/Db/Password', WithDecryption=True) print(parameter['Parameter']['Value'])
This just scratches the surface of Parameter Store’s usefulness. Take a moment to see areas where you could use a central store for configuration strings and secrets that may or may not need to be encrypted. SSM Parameter Store may just be what you need.