0

I've recently been looking into AWS KMS for storing database passwords and the like. However I've also seen that secure strings in Parameter store can be used for this. In both instances I believe I would need to use the AWS CLI to access these services.

However in a production environment where there might be multiple servers, how are we supposed to go about getting the AWS CLI installed and authenticated on our instances. It feels like the CLI credentials should also be stored in Parameter store creating a bit of a catch 22. As far as I'm aware these should form part of an AMI and I don't want them in source control either.

What's the best approach here?

TommyBs
  • 9,354
  • 4
  • 34
  • 65
  • You would not store any credentials on the AWS instance. Rather when launching instances you will associate them with IAM roles which will define the resources to which the instance has access and your call to the CLI does not need the credentials when using the AWS SDK – Rajesh Dec 12 '17 at 09:56
  • You could use the sdk to access the data, and assign access to those sdks via the instance role(s). Also, why not store sensitive credentials like dB credentials as environment vars, depending on the setup. – RichGoldMD Dec 12 '17 at 09:58
  • I thought about environment vars, but most of what I've seen suggests that parameter store or KMS are actually the best way to go here from a best practice point of view – TommyBs Dec 12 '17 at 10:23
  • Best practices: Do not use environment variables. Use IAM Roles with your EC2 instance for AWS credentials. Use Parameters Store for your db passwords, etc. In your code that calls your database, add code to call Parameter Store first to get the database credentials. – John Hanley Dec 12 '17 at 21:51

0 Answers0