3

I have bash script to run as user data script when launching EC2 instance. For that I need to pass external API access key id and secret key. I don't want to store these keys in my user data scripts as it is visible in plaintext. Is there any way that I can store this keys in somewhere such as AWS Secret Manager and use that in user data scripts?

hlesnt395
  • 603
  • 10
  • 30

2 Answers2

7

I would suggest either storing it in Secrets Manager or SSM Parameter Store.

You would need to use the CLI in your userdata script to retrieve the value.

For SSM you would retrieve the secret by using the get-parameter function.

secret=$(aws ssm get-parameter --name "MyStringParameter")

For Secrets Manager you would retrieve the secret using the get-secret-value function.

secret=$(aws secretsmanager get-secret-value --secret-id MyTestDatabaseSecret)

Then in your bash script when you want to reference it you would just need to use the variable $secret to actually replace with your secret.

If you decide to use either of these you will need to ensure EC2 instance has an IAM role attached to the instance with the correct policy to apply the permissions you require.

Alternatively if this is a process that happens frequently (autoscaled instance for example) then you should take a look at configuring the base server image (AMI) ahead of time and then referencing this as the source AMI.

With tools such as Ansible, Chef and Puppet you could provision the base image with your secret which would replace any need to do anything in the UserData as it would be available ahead of time.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Thanks for the quick response. This is exactly what I needed. Actually at the moment we wouldn't be able to include this in the AMI due to some limitation in vendor application. Because of that We need to run this script when launching the instance. – hlesnt395 Jun 29 '20 at 06:55
  • 1
    Thats fine, just thought to ensure all possible avenues are noted :) – Chris Williams Jun 29 '20 at 06:55
3

Usually you can store such secrets in AWS Systems Manager Parameter Store which is free, unlike AWS Secret Manager:

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.

To use that in your UserData, the instance role has to be set with permissions to access the Parameter Store. Then in your UserData you can use aws cli get-parameter to get the value of your secrets.

Marcin
  • 215,873
  • 14
  • 235
  • 294