Keep Your Secrets Safe with AWS Systems Manager Parameter Store and Node
Amir Boroumand
Principal Software Engineer | Java | Spring Boot | AWS Certified Solutions Architect Professional
Overview
In this article, we’ll walk through how to save and retrieve a secret using the AWS SSM Parameter Store with Node.
AWS SSM vs AWS Secrets Manager
AWS offers two services for secrets management:
- AWS Systems Manager (SSM) Parameter Store
- AWS Secrets Manager
Though the services are similar, there are a number of differences between them. The table below provides a comparison.
Create IAM Policy
- Go to https://console.aws.amazon.com/iam/home
- Go to Policies and click the Create Policy button
- Select the JSON tab and paste the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"ssm:GetParameter",
"ssm:PutParameter"
],
"Effect":"Allow",
"Resource":"arn:aws:ssm:*:*:*"
}
]
}
4. Enter a name for the policy and click the Create Policy button
Create IAM User
- Go to https://console.aws.amazon.com/iam/home
- Go to Users and click the Add User button
- Enter a username
- Select Programmatic access for the Access Type and click Next
- Select Attach Existing Policies Directly for Permissions
- Check the policy created previously and click Next
- (Optional) Add tags and click Next
- Click Create user
- Save the Access Key and Secret Key (this is the only time the secret key will be shown)
Set Environment Variables
# export AWS_ACCESS_KEY_ID=xxxxxxx # export AWS_SECRET_ACCESS_KEY=xxxxx
Install AWS SDK from NPM
# npm install aws-sdk --save
Initialize the AWS client
Let’s create a Node module to initialize the AWS SSM client. We’ll set the region to be Northern Virginia but you can modify as needed of course.
aws-client.js
const AWS = require('aws-sdk');
AWS.config.update({region:'us-east-1'});
const ssm = new AWS.SSM();
module.exports = ssm;
Saving the Secret
We’ll be saving the password into an encrypted parameter named /{username}/passwordString.
For example, if the username is lucy and password is meow, then the parameter would be named /lucy/passwordString and the value would be meow.
secrets.js
We’ll define two functions in this file - saveSecret and getSecret.
const ssm = require('./aws-client');
const saveSecret = (username, password) => {
const secretName = `/${username}/passwordString`;
console.log(`Saving secret to ${secretName}`);
const config = {
Name: secretName,
Value: password,
Type: 'SecureString',
Overwrite: true
};
ssm.putParameter(config, (err, data) => {
if (err) {
console.log(err, err.stack);
}
});
};
const getSecret = async (secretName) => {
console.log(`Getting secret for ${secretName}`);
const params = {
Name: secretName,
WithDecryption: true
};
const result = await ssm.getParameter(params).promise();
return result.Parameter.Value;
};
module.exports = {saveSecret, getSecret};
Now, let’s write some code that calls the saveSecret function with our data.
index.js
const saveSecret = require('./secrets');
saveSecret('lucy', 'meow');
secrets.getSecret('/lucy/passwordString').then((password) => {
console.log(password);
});
Running the Code
# node index.js Saving secret... Getting secret for /lucy/passwordString meow
Verify the Parameter was Saved
In the AWS Systems Manager console, we can see below that the parameter was created successfully:
