Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Have CDK put SecureString type parameter values into SSM securely #3520

Closed
jewelsjacobs opened this issue Aug 2, 2019 · 6 comments
Closed
Assignees
Labels
@aws-cdk/aws-ssm Related to AWS Systems Manager feature-request A feature should be added or improved.

Comments

@jewelsjacobs
Copy link

jewelsjacobs commented Aug 2, 2019

  • What is the current behavior?
    Currently there is no way to put a SecureSAtring type value into the System Manager Parameter store using CDK.

The only method to put a secure param in ssm is in the aws sdk.
The only way to access aws sdk in cdk is some sort of custom construct.
Anything you inject into the aws custom component shows up in the template. If you use a custom component with a seperate lambda in a zipped asset, you still have to pass the value. That also shows up in the template.

Using -c secret_value=donttellanyone! , app.node.setContext(...);

or

new cdk.CfnParameter(app, 'SomParam', {
  description: 'Use to pass a hidden value',
  noEcho: true,
  default: "some hidden value"
})

is not a viable solution either.

  • What is the expected behavior (or behavior of feature suggested)?

Have some type way to get CDK to put a SecureString type parameter values into SSM securely. The best way to do this would need some sort of design discussion. I realize this feature is not supported in CF. They only have the ability to do this with a non secure string.

  • What is the motivation / use case for changing the behavior or adding this feature?

My ask is because one of the reasons I have chosen CDK as an infrastructure solution is because I want developers to be able to support the infrastructure architecture and add the code to the app source.

Although folks tend to use the aws sdk directly to do this, which is also what is currently being advised by the cdk team,
I don't want to add the complexity of more bash / cli commands. If I wanted a pure CF abstraction solution I would use something like the serverless framework.

I know I can still use the nodejs aws sdk but I would still be running it via a cli script. I can create lots of cool cli node.js scripts, add them to npm commands, then still use the serverless framework.

I think one of the great things about CDK is it's infrastructure as CODE. Not infrastructure as cli commands or yaml.

Putting SecureString type parameter values into SSM is, to me, an infrastructure task and IMNSHO I would love to see it handled securely CDK!

Please let me know your thoughts

@jewelsjacobs jewelsjacobs added the needs-triage This issue or PR still needs to be triaged. label Aug 2, 2019
@jewelsjacobs jewelsjacobs changed the title *RFC* RFC: Have CDK put SecureString type parameter values into SSM securely Aug 2, 2019
@jewelsjacobs
Copy link
Author

Ug sorry about the needs triage label. I accidentally saved it before I finished writing it and it's labeled wrong. I can't change it 😬

@jewelsjacobs
Copy link
Author

Here is an example of a custom component that does this. I don't know if it's possible to create a lib or something.

custom component

ssm-put-parameter.ts

lambda:

index.js

@r-kuhr
Copy link

r-kuhr commented Aug 2, 2019

I would like this too, but isn't it a limitation of CloudFormation in general not supporting SecureString SSM?

@eladb eladb added feature-request A feature should be added or improved. @aws-cdk/aws-ssm Related to AWS Systems Manager and removed feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 13, 2019
@eladb eladb self-assigned this Aug 13, 2019
@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 30, 2019

Yes, SSM SecureStrings aren't supported everywhere. SecretsManager Secrets are supported everywhere, so those would be recommended (though they are more expensive, unfortunately).

As for the reason why CDK doesn't write those secrets for you... we considered it but decided that handling user's secrets would be a responsibility that would eat a lot of engineering time to do properly, and we didn't want to spend that time at that point in time.

@eladb
Copy link
Contributor

eladb commented Jan 23, 2020

Our current stance is that the CDK doesn't handle secrets. Secrets can be stored in SSM using the AWS CLI and then consumed from your CDK app by ARN/name. Closing for now.

@HarshRohila
Copy link

I created an npm package to handle this https://www.npmjs.com/package/cdk-secure-parameter-store

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-ssm Related to AWS Systems Manager feature-request A feature should be added or improved.
Projects
None yet
Development

No branches or pull requests

5 participants