Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:
(I am aware of the 4K size limit, it’s fine.)
This works well, for normal
String type parameters that store non-sensitive information like environment configuration, but I’d also like to do similar for secrets using the
SecureString parameter type.
The problem is that I can’t edit the parameter value in the console because it’s using a HTML input field of
type="password" that doesn’t handle newlines.
The multi-line value works fine with the actual parameter store backend – I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.
But I can’t edit them using the console. This is a problem because the whole point of using a
SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).
There’s a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks – I’m just trying to find out if there’s a way around this using the console?
Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a “password” type field?
I’m using Chrome, but I’d be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).
After posting this question, AWS notified me there was a whole new “AWS Systems Manager” UI, but it still has the same problem – I tried the below browser hacks on this new UI, but no luck.
Failed browser hack attempt 1: I tried opening the browser console, running
document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injectec, but the newline was filtered out.
Failed browser hack attempt 2: I tried using the browser instpector to change the element to a
TextArea and then typed in two lines of input and clicked save, but that didn’t set the value at all.
In the end, I decided the answer to this question is “don’t do that”. Not that I would’ve wanted to hear that when I was trying to make it work.
You should use a separate SSM param per secret for these reasons:
- ability to grant permissions at fine grained level; e.g. you have an API password for calling your service, and a DB password for the service talk to a DB – if you store them in the same secret you couldn’t only grant access to the API password.
- ability to track key access separately – the SSM access logs can only tell you that the target machine/user accessed the SSM param at that time, it won’t be able to tell you which secret was accessed
- ability to use separate KMS keys to encrypt
Just watch out for the fact that you can only request a max of 10 SSM params at a time.