Decrypting correctly parameters from AWS SSM

Today is yet short one, but ideally will already save a whole lot of headaches for some people.

Scenario: You have stored the contents of a string using AWS SSM parameter store (side note: if you are not using it yet, you should definitely have a look), but when retrieving it  decrypted via CLI, you notice that the string has new lines (‘\n’) substituted by spaces (‘ ‘).

In my case, I was storing a private SSH key encrypted to integrate with some Ansible scripts triggered via AWS CodePipeline + CodeBuild. CodeBuild makes it realy easy to access secrets stored in SSM store, however it was retrieving my key incorrectly, which in term domino-crashed my ansible scripts.

Here you can also confirm more people are facing this issue. After following the suggestion of using AWS SDK – in my case with python boto3 – it finally worked. So here is a gist to overwrite an AWS SSM parameter, and then retrieving it back:

my_string = """
your string \n seperated \n by \n new \n lines.
"""
account_id = '12345678910'
region = 'eu-west-1'
parameter_name = 'some-secret-name'
key_id = 'your-key-id'
kms_key_id = 'arn:aws:kms:{region}:{account_id}:key/{key_id}'.format(region=region, account_id=account_id, key_id=key_id)
ssm = boto3.client('ssm')
response = ssm.put_parameter(
Name=parameter_name,
Description='My encrypted secret blob',
Value=my_string,
Type='SecureString',
KeyId=kms_key_id,
Overwrite=True,
)
response = ssm.get_parameter(
Name=parameter_name,
WithDecryption=True
)
print(response.get('Parameter', {}).get('Value'))

view raw
put_ssm_parameter.py
hosted with ❤ by GitHub

Hope this helps!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s