I don't understand why so few people talk about ParameterStore. It's a fantastic tool, and AWS does such a terrible job of advertising it.. hidden under SSM, an offering non-enterprise users probably don't care about, and giving the wrong impression that it's only for EC2.
ParameterStore should be part of KMS instead I think.
Exactly. I was wishing for an AWS based cli accessible credstore service for a while and didn't even know this existed until just the other week.
One big problem with AWS and their incremental features / improvements is you never hear about much of it, or its buried in a post from Jeff's blog that you have to watch like a hawk to keep up with.
I can recommend subscribing to Most recent announcements from AWS[1] for keeping up. You'll get weekly summary emails with headlines, HN style. They link to articles here[2].
Since a while, I subscribed to „AWS this week“ on YouTube from a cloud Guru. This is just 5 minutes, and you have a good idea what‘s going on. (I have no affiliation)
I really think it's just an AWS account with credstash under the hood, that some Amazon engineers work on full time. Seems like a no-brainer to use imo, since it's very polished.
AWS Parameter Store certainly has merit. As you can see from the comparison table there are certain functionality that is supported by Strongbox which AWS Parameter Store does not currently offer, like larger secrets, more secrets etc.
You can use the assume role functionality with Strongbox. The examples don't do this for simplicity.
Yup, Strongbox has a dependency on DynamoDB so one may as well research the "native AWS" approach: https://aws.amazon.com/blogs/compute/managing-secrets-for-am...
The nice thing about doing it the way described in the linked article, is that it composes really well with IAM. VMs, ECS tasks, Lambda functions and so on.
Is it possible to use Parameter Store without configuring System Manager for the instances where it's used?
I recently looked into SSM but was put off because the docs[1] suggested that you add the managed AmazonEC2RoleforSSM policy to instances, which among other things give them full read/write access to all S3 buckets.
Edit: also discovered by others[2].
Just revised a set of developer policies today. Most systems/users will only need a couple of permissions to leverage parameter store. And if you take the time to dig into the IAM permissions, it's quite impressive how granular you can get.
The policy I built today, for example, granted SSM:GetParameter* for parameters in the '/dev' or '/staging' path hierarchy. You won't find this fully documented at the moment, but you can separately manage encryption/decryption of secrets using conditions and kms:EncryptionContext, e.g.,
One point I will note in relation to other secret management schemes is that Parameter Store seems to use CMKs directly to encrypt parameters rather than relying on data keys and envelope encryption.
Some of Amazon's IAM examples are very permissive. Perhaps it's because of the need for brevity but a link to additional examples that are more comprehensive and secure would be great.
The parameter store was not available at the time Strongbox was designed and developed. The Strongbox project page has a nice matrix comparing how Strongbox stacks up against Parameter Store.
In terms of not using credentials directly, relying on AWS KMS for encryption keys, and the use of IAM policies to control access to secrets, Strongbox and AWS Parameter Store share a similar design.
ParameterStore should be part of KMS instead I think.