-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Have CDK put SecureString type parameter values into SSM securely #3520
Comments
Ug sorry about the |
Here is an example of a custom component that does this. I don't know if it's possible to create a lib or something. custom component lambda: |
I would like this too, but isn't it a limitation of CloudFormation in general not supporting SecureString SSM? |
Yes, SSM SecureStrings aren't supported everywhere. SecretsManager Secrets are supported everywhere, so those would be recommended (though they are more expensive, unfortunately). As for the reason why CDK doesn't write those secrets for you... we considered it but decided that handling user's secrets would be a responsibility that would eat a lot of engineering time to do properly, and we didn't want to spend that time at that point in time. |
Our current stance is that the CDK doesn't handle secrets. Secrets can be stored in SSM using the AWS CLI and then consumed from your CDK app by ARN/name. Closing for now. |
I created an npm package to handle this https://www.npmjs.com/package/cdk-secure-parameter-store |
Currently there is no way to put a SecureSAtring type value into the System Manager Parameter store using CDK.
The only method to put a secure param in ssm is in the aws sdk.
The only way to access aws sdk in cdk is some sort of custom construct.
Anything you inject into the aws custom component shows up in the template. If you use a custom component with a seperate lambda in a zipped asset, you still have to pass the value. That also shows up in the template.
Using
-c secret_value=donttellanyone!
,app.node.setContext(...);
or
is not a viable solution either.
Have some type way to get CDK to put a SecureString type parameter values into SSM securely. The best way to do this would need some sort of design discussion. I realize this feature is not supported in CF. They only have the ability to do this with a non secure string.
My ask is because one of the reasons I have chosen CDK as an infrastructure solution is because I want developers to be able to support the infrastructure architecture and add the code to the app source.
Although folks tend to use the aws sdk directly to do this, which is also what is currently being advised by the cdk team,
I don't want to add the complexity of more bash / cli commands. If I wanted a pure CF abstraction solution I would use something like the serverless framework.
I know I can still use the nodejs aws sdk but I would still be running it via a cli script. I can create lots of cool cli node.js scripts, add them to npm commands, then still use the serverless framework.
I think one of the great things about CDK is it's infrastructure as CODE. Not infrastructure as cli commands or yaml.
Putting SecureString type parameter values into SSM is, to me, an infrastructure task and IMNSHO I would love to see it handled securely CDK!
Please let me know your thoughts
The text was updated successfully, but these errors were encountered: