A utility for dealing with AWS SSM Parameter Store

Project description

aws-ssm-commander

Install

pip install aws-ssm-commander

Usage

Options:
  --debug
  --help   Show this message and exit.

Commands:
  dump   Dump the values in ssm to a param file, for backup or inspection.
  tree   Print out a tree of your SSM parameters
  write  take a yaml file, put it in to SSM

dump

Dumps the params on a path to a json or yaml output

~> aws-ssm-commander dump /abc/123
section_a:
  username: abc123
section_b:
  password: blah
  username: foobar

tree

See a visual representation of params on a path. Useful for making sure your params out in SSM are structured as expected

~> aws-ssm-commander tree /abc/123/
abc
â””â”€â”€ 123
    â”œâ”€â”€ section_a
    â”‚   â””â”€â”€ username
    â”œâ”€â”€ section_b
    â”‚   â”œâ”€â”€ password
    â”‚   â””â”€â”€ username

write

Takes a yaml input file and a path prefix, and writes params to SSM.

~> aws-ssm-commander write /abc/123/ my_file.yml

Saving secrets

There are two ways of saving secrets. First is by supplying a KMS key ID along with the value to encrypt. The second is to use custom KMS to store kms blobs. The former is less secure than the latter.

Supplying a KMS key ID along with the value to encrypt

A KMS key ID can be supplied:

password: kms_key_id: f0e79e90-5672-431d-b100b-84b8ac8f1525 value: supersecretpassword

Keep in mind that if the params file is in git, the secret will be exposed in plain text!

Using custom KMS keys to store kms blobs in the yaml file

A lot of the stuff you want to put in Param Store are secrets, and you don't store plaintext secrets in git! Now you could encrypt and decrypt these files on your own, but aws-ssm-commander supports putting a KMS blob in a config file. To use this method, you must use a Customer Managed KMS key.

You can put a KMS secret in your config files by prefixing a value with a !kms tag

To get a kms blob,

KEY_ID=1234abcd-12ab-34cd-56ef-1234567890ab
aws kms encrypt --key-id $KEY_ID --plaintext "MY_SECRET" --output text --query CiphertextBlob

take that output, then drop it in a value in a yaml file like so:

my_thing:
  username: foobar
  password: !kms WW05aWJHRjNZbXh2WWc9PQ==

Project details

Release history Release notifications | RSS feed

This version

0.0.4

Mar 7, 2020

0.0.3

Jun 14, 2019

0.0.2

May 29, 2019

0.0.1

Apr 7, 2019

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-ssm-commander-0.0.4.tar.gz (5.8 kB view details)

Uploaded Mar 7, 2020 Source

Built Distribution

aws_ssm_commander-0.0.4-py3-none-any.whl (8.2 kB view details)

Uploaded Mar 7, 2020 Python 3

File details

Details for the file aws-ssm-commander-0.0.4.tar.gz.

File metadata

Download URL: aws-ssm-commander-0.0.4.tar.gz
Upload date: Mar 7, 2020
Size: 5.8 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/39.1.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.2

File hashes

Hashes for aws-ssm-commander-0.0.4.tar.gz
Algorithm	Hash digest
SHA256	`67ba6b498ae497e2d5455a22f20a7c12755431939f889e83bbe14e8b4943ca1a`
MD5	`4d8a22786c892615a897f68c4b631d18`
BLAKE2b-256	`b771c43c184a010e1d14af9e2f61c543335a95f64b1a9e142e4a4b9a08bb9734`

See more details on using hashes here.

File details

Details for the file aws_ssm_commander-0.0.4-py3-none-any.whl.

File metadata

Download URL: aws_ssm_commander-0.0.4-py3-none-any.whl
Upload date: Mar 7, 2020
Size: 8.2 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/39.1.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.2

File hashes

Hashes for aws_ssm_commander-0.0.4-py3-none-any.whl
Algorithm	Hash digest
SHA256	`f0594798f3e3f24c946b4a5cd2f10fff09a8d1285560f83aa67d72f687c8fa38`
MD5	`4d29b79fedd8d222440be2935737576b`
BLAKE2b-256	`e61adcee84c17c1d06032e8cfbde2e9d403506aed9fd9a68969e8fe5dc62bea5`