4

Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:

property1=value1
property2=value2
property3=value3

(I am aware of the 4K size limit, it's fine.)

This works well, for normal String type parameters that store non-sensitive information like environment configuration, but I'd also like to do similar for secrets using the SecureString parameter type.

The problem is that I can't edit the parameter value in the console because it's using a HTML input field of type="password" that doesn't handle newlines.

The multi-line value works fine with the actual parameter store backend - I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.

But I can't edit them using the console. This is a problem because the whole point of using a SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).

There's a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks - I'm just trying to find out if there's a way around this using the console?

Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a "password" type field? I'm using Chrome, but I'd be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).

EDIT

After posting this question, AWS notified me there was a whole new "AWS Systems Manager" UI, but it still has the same problem - I tried the below browser hacks on this new UI, but no luck.

Failed browser hack attempt 1: I tried opening the browser console, running document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injectec, but the newline was filtered out.

Failed browser hack attempt 2: I tried using the browser instpector to change the element to a TextArea and then typed in two lines of input and clicked save, but that didn't set the value at all.

4

5 回答 5

9

https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file,我了解到您可以将文件作为参数传递给--value参数。所以如果你的文件被调用secrets.properties,你可以这样做:

aws ssm put-parameter --type SecureString --name secrets --value file://secrets.properties
于 2018-11-09T07:33:51.843 回答
0

我找到了一种方法,但它太费力而且太奇怪了——如果有人能找到更简单的方法,我会把它标记为答案。

hacky 的解决方法是安装“Tamper Chrome”扩展程序 + 应用程序,然后在浏览器发送 XHR 请求时捕获它,并将新行编辑到 JSON 中。

布莱赫。加上“篡改铬”非常糟糕,我不想在我的机器上运行它。

于 2018-04-07T05:49:46.750 回答
0

最后,我决定这个问题的答案是“不要那样做”。并不是说当我试图让它发挥作用时我会想听到这个。

出于以下原因,您应该为每个密钥使用单独的 SSM 参数:

  • 能够在细粒度级别授予权限;例如,您有一个用于调用您的服务的 API 密码,以及一个用于与数据库对话的服务的数据库密码——如果您将它们存储在同一个秘密中,您就不能只授予对 API 密码的访问权限。
  • 单独跟踪密钥访问的能力 - SSM 访问日志只能告诉您目标机器/用户当时访问了 SSM 参数,它无法告诉您访问了哪个秘密
  • 能够使用单独的 KMS 密钥进行加密

请注意,您一次最多只能请求 10 个 SSM 参数。

于 2018-09-06T05:04:11.673 回答
0

使用最近推出的新秘密管理器可能会更好。它的接口非常接近参数存储,但它在一个地方更好地支持多个参数。

我想知道控制台的变化是否是由于服务的预期发布,因为他们有一个围绕秘密的定价模型,而参数存储是免费的

于 2018-04-07T06:02:34.357 回答
0

如果你愿意,你可以试试我的应用程序https://github.com/ledongthuc/awssecretsmanagerui

我尝试创建它以更轻松地更新多行值和二进制文件。希望对你的案子有帮助。

于 2021-04-02T19:11:19.543 回答