AWS SSM Parameter Store: How can I edit multi-line "SecureString" values using the console?

Question

Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:

property1=value1
property2=value2
property3=value3

(I am aware of the 4K size limit, it's fine.)

This works well, for normal String type parameters that store non-sensitive information like environment configuration, but I'd also like to do similar for secrets using the SecureString parameter type.

The problem is that I can't edit the parameter value in the console because it's using a HTML input field of type="password" that doesn't handle newlines.

The multi-line value works fine with the actual parameter store backend - I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.

But I can't edit them using the console. This is a problem because the whole point of using a SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).

There's a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks - I'm just trying to find out if there's a way around this using the console?

Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a "password" type field? I'm using Chrome, but I'd be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).

EDIT

After posting this question, AWS notified me there was a whole new "AWS Systems Manager" UI, but it still has the same problem - I tried the below browser hacks on this new UI, but no luck.

Failed browser hack attempt 1: I tried opening the browser console, running document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injectec, but the newline was filtered out.

Failed browser hack attempt 2: I tried using the browser instpector to change the element to a TextArea and then typed in two lines of input and clicked save, but that didn't set the value at all.

Something we do at work is input something like `property1=value1\nproperty2=value2\nproperty3=value3`, and after reading the value from ssm substitute the `\n` for an actual linebreak. I would be interested if there is a better solution — Jordan Stewart, Jan 23 '20 at 03:03

score 11 · Answer 1 · answered Nov 09 '18 at 07:33

11

From https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file, I learned you can pass a file as parameter to the --value argument. So if your file is called secrets.properties, you can do this:

aws ssm put-parameter --type SecureString --name secrets --value file://secrets.properties

answered Nov 09 '18 at 07:33

Justin Bailey

1,487
11
15

Yeah, but I was using the console. – Shorn Nov 09 '18 at 07:45
didnt know about the file option and had a hard time without it. made my day! – Hendrik Jander Oct 03 '20 at 12:00

score 0 · Answer 2 · answered Apr 07 '18 at 05:49

0

I found a way to do it, but it's too much effort and too weird - if anyone can find a simpler way, I will mark that as the answer.

The hacky workaround is to install the "Tamper Chrome" extension + app, then capture the XHR request as the browser sends it and edit the new lines into the JSON.

Blech. Plus "Tamper Chrome" is pretty awful, I don't want to run it on my machine.

answered Apr 07 '18 at 05:49

Shorn

19,077
15
90
168

1

Using aws-cli or another mechanism for direct API requests seem to be the only solutions. It appears to be an unfortunate design flaw in the console. – Michael - sqlbot Apr 08 '18 at 17:53
I can't even get this to work via the aws cli. Adding newline characters just results in them being interpreted literally (escaped). Did you know of a way to make it work? – darrend Apr 16 '18 at 16:14
@darrend I'm actually using Terraform, so it's the thing that's putting the newlines into the value via the API, not me. But I am getting the values out using the aws cli, so reading definitely works. But I don't actually have proof that you can write newlines to a param value using the command line (but I'd guess that it should work and you should probably look at your quoting/escaping mechanism). – Shorn Apr 16 '18 at 22:37
@Shorn thanks, I figured it out in the end but you need to use the `--cli-input-json` switch and pass the value as a json object (edit: I'll add as an answer) – darrend Apr 19 '18 at 08:55

score 0 · Answer 3 · answered Apr 07 '18 at 06:02

0

This might be better to use the new secrets manager that was launched recently. The interface for it is very close to parameter store but it has better support for multiple parameters in one place.

I wonder if the change in the console was due to the expected release of the service since they have a pricing model around secrets whereas parameter store is free

answered Apr 07 '18 at 06:02

Stephen

3,607
1
27
30

I don't understand the point of secrets manager, it seems expensive for what it does. I've just gone with separating the secrets with a tab character, then converting that to newline with "sed -e 'y/\t/\n/'" on the instance. I really shouldn't have to do that - especially given the secrets manager doesn't seem to "need" a password type field, why shouldn't I be able to use a textarea for the parameter store. Whatevs, it's done now. – Shorn Apr 07 '18 at 11:12

Shorn · Accepted Answer · 2020-08-17T01:23:54.957

In the end, I decided the answer to this question is "don't do that". Not that I would've wanted to hear that when I was trying to make it work.

You should use a separate SSM param per secret for these reasons:

ability to grant permissions at fine grained level; e.g. you have an API password for calling your service, and a DB password for the service talk to a DB - if you store them in the same secret you couldn't only grant access to the API password.
ability to track key access separately - the SSM access logs can only tell you that the target machine/user accessed the SSM param at that time, it won't be able to tell you which secret was accessed
ability to use separate KMS keys to encrypt

Just watch out for the fact that you can only request a max of 10 SSM params at a time.

score 0 · Answer 5 · answered Apr 02 '21 at 19:11

0

if you want, you can try with my app https://github.com/ledongthuc/awssecretsmanagerui

I try to create it to easier to update multi-line values and binary easier. Hope it's helpful with your case.

answered Apr 02 '21 at 19:11

Le Dong Thuc

195
1
6

AWS SSM Parameter Store: How can I edit multi-line "SecureString" values using the console?

5 Answers5