I am new to AWS. I am working on integrating SSM parameters to store database passwords and use the same at the time of cloud formation.
We observed a issue with SSM Parameters value having special characters at the beginning of the string.
For example, if the password is Test#123, its working fine. But if the password is #Test!123 then it’s not working.
Is there any work around for the same.
Alright, I think I found the solution to my problem. I have a password like this "complicated!word+=!here!help+", and this is how I am able to escape it:
aws ssm put-parameter --name /config/my-api_alpha/my-db.jdbc.password --value “complicated\!word+=\!here\!help+” --type SecureString --key-id arn:aws:kms:us-east-1:1234567890:key/this-is-a-kms-keyId
The double quotes are optional; this produces the same result:
aws ssm put-parameter --name /config/my-api_alpha/my-db.jdbc.password --value complicated\!word+=\!here\!help+ --type SecureString --key-id arn:aws:kms:us-east-1:1234567890:key/this-is-a-kms-keyId
I resolved this by enclosing the password beginning with special characters in double quotes. For example
#Test!123
Related
I have a customer managed key encrypting secret parameters as SecureString in SSM Parameter store. I'm deciding whether I should allow AWS to automatically rotate those keys. It would be nice to not have to worry about re-encrypting the secrets manually.
This is how I set the parameters:
aws ssm put-parameter \
--region $region \
--name "$name" \
--value "$value" \
--type "SecureString" \
--key-id "$keyId" \
--overwrite;
No, Parameter Store itself doesn't have automatic key rotation service. But, they do provide another service for this, i.e., Secrets Manager.
Quote from the docs.
Parameter Store doesn't provide automatic rotation services for stored secrets. Instead, Parameter Store enables you to store your secret in Secrets Manager, and then reference the secret as a Parameter Store parameter.
I have the following cli command
aws ecs list-services --cluster ecs-cluster-1
Giving this JSON
{
"serviceArns": [
"arn:aws:ecs:us-east-1:XXXXXXXXXXXXX:service/ecs-cluster-1/app4",
"arn:aws:ecs:us-east-1:XXXXXXXXXXXXX:service/ecs-cluster-1/app3",
"arn:aws:ecs:us-east-1:XXXXXXXXXXXXX:service/ecs-cluster-1/app1",
"arn:aws:ecs:us-east-1:XXXXXXXXXXXXX:service/ecs-cluster-1/app4"
]
}
How do I get app1 ARN back by matching name of the app (app1) using --query option?
Expected Output
arn:aws:ecs:us-east-1:XXXXXXXXXXXXX:service/ecs-cluster-1/app1
Please note that this JSON array is not ordered.
You can either use contains or ends_with for the filtering part.
Then you want to stop the project and get the first item of the array in order to have only the application ARN you are interested in.
Stopping a projection is covered in the pipe expression tutorial of the documentation.
So, given the expression
serviceArns[?ends_with(#,'app1')]|[0]
You end up with the expected
"arn:aws:ecs:us-east-1:XXXXXXXXXXXXX:service/ecs-cluster-1/app1"
In the AWS command line interface, this will then be:
aws ecs list-service \
--cluster ecs-cluster-1 \
--query "serviceArns[?ends_with(#,'app1')]|[0]"
Assuming it is the first entry in the list, you can use:
--query servicesArns[0]
Depending on your operating system, you might need to quote it:
--query 'servicesArns[0]'
If you are looking for the entry that 'contains' app1, use:
--query serviceArns[?contains(#, 'app1') == `true`]|[0]
Those back-ticks always cause me problems. You can play around and potentially use other tick-marks.
Good references for JMESPath:
JMESPath Tutorial
JMESPath Specification
I am working on AWS, where we have instances running SSM client. For automation, I am passing certain commands to these instances time-to-time. Currently, I have them setup with instance-id. This is proving inflexible for us, since any change to instance-id, will force me to update repository-code, and it's a hardcoded value.
How can I replace instance-id with tag:Name or similar.
Current code :
aws ssm send-command --instance-ids 'i-12434546' --region 'eu-central-1' --document-name 'AWS-RunShellScript' --comment 'Restart Pod' --parameters commands='sudo -u ubuntu kubectl rollout restart deployment.v1.apps/supplier-service-deployment' --output text
I want to replace
--instance-ids 'i-12434546'
With tag:Name. Any help would be nice. Thank you. :-)
The answer to your question is provided directly on the documentation page (https://docs.aws.amazon.com/cli/latest/reference/ssm/send-command.html)
To target a larger number of instances, or if you prefer not to list individual instance IDs, we recommend using the Targets option instead. Using Targets , which accepts tag key-value pairs to identify the instances to send commands to, you can a send command to tens, hundreds, or thousands of instances at once.
You can use --targets option instead of --instance-ids:
aws ssm send-command \
--targets Key=tag:tag-name,Values=tag-value \
[...]
I'm using
GitBash v2.17.0
AWS CLI v1.16.67
Windows 10
Problem
I've created a SecureString parameter in the AWS SSM Parameter Store. For sake of example, let's call the parameter
/levelOne/levelTwo
I'm trying to retrieve the parameter using the AWS CLI. To do this I am using the following command:
aws ssm get-parameters --names '/levelOne/LevelTwo' --with-decryption
The problem is that the result returned is this:
As you can see, the parameter is being prefixed with C:/Program Files/Git.
Can anyone explain what I have done wrong please?
Thanks
This is caused by POSIX path conversion in MinGW.
You can work around this by substituting // for the leading /, and then replacing the subsequent forward slashes with backslashes, e.g.
aws ssm get-parameters --names '//levelOne\levelTwo'
This command will only run correctly in MinGW, i.e. it will fail in Bash or Windows CMD.
I faced the same issue.
Check the region selected while you create the parameter store from the console.
The reason for this is that Aws-ssm is regional service.
aws ssm get-parameters --names "/levelOne/LevelTwo" --region us-west-1 --with-decryption
i got it working by adding a space in front of the names parameter value. To get it working os independent.
aws ssm get-parameters --names " /levelOne/LevelTwo" --with-decryption
Alright, so I'm trying to programmatically store my Serverless generated API endpoint in parameter store for another project to ingest.
Just for an example, I'm going to try to store google.com.
aws ssm put-parameter --name /dev/someStore --value https://google.com --type String
This fails, understandably so.
Error parsing parameter '--value': Unable to retrieve https://google.com: received non 200 status code of 301
However, if I wrap the URL in quotes...
aws ssm put-parameter --name /dev/someStore --value "https://google.com" --type String
It still fails with the same error. Is there any way to stop the cli from trying to evaluate the URL and just save the goddamn string?
This is happening because of a questionable behavior by awscli v1. When it sees a URL, it invokes an HTTP GET for a result. This does not happen in awscli v2.
You can work around this behavior as follows:
aws ssm put-parameter --cli-input-json '{
"Name": "/dev/someStore",
"Value": "https://google.com",
"Type": "String"
}'
Or you can store the JSON in a file named params.json and invoke:
aws ssm put-parameter --cli-input-json file://params.json
The underlying issue was reported at aws/aws-cli/issues/2507.
By default AWS CLI follows any string parameters that start with https:// or http://. These URLs are fetched, and the downloaded content is used as the parameter instead of URL.
To make CLI not treat strings prefixed with https:// or http:// any differently than normal string parameters run:
aws configure set cli_follow_urlparam false
cli_follow_urlparam controls whether or not the CLI will attempt to follow URL links in parameters that start with either prefix https:// or http://.
See https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
Problem:
aws ssm put-parameter --name /config/application/some-url --value http://google.com --type String --region eu-central-1 --overwrite
Error parsing parameter '--value': Unable to retrieve http://google.com: received non 200 status code of 301
Solution:
aws configure set cli_follow_urlparam false
aws ssm put-parameter --name /config/application/some-url --value http://google.com --type String --region eu-central-1 --overwrite
{
"Version": 1
}
The GitHub discussion on this topic, linked by #jarmod, also had another solution for this. I'll replicate it here for others to avoid scanning through the whole thread.
Add the following to your ~/.aws/config along with any other settings present.
[default]
cli_follow_urlparam = false
P.S. Seems that it is also mentioned in the AWS documentation under "Loading Parameters from a File" section.
Another option to make this work is to not include the https protocol in the value and just the domain name or the path. After retrieval add the protocol appropriate. some times we wanted to use https or http or even ssh. Take git url for example. Multiple protocols for accessing the resource with appropriate ports where the path is the required value
To complement #jarmod answers, here is an example showing
how one can deal with Overwrite file, url in bash variable and making the json multi-line string.
URL='https://www.some.url.com'
json_params='{'
json_params+='"Name": "/param/path",'
json_params+='"Value": "'${URL}'",'
json_params+='"Type": "String",'
json_params+='"Overwrite": true'
json_params+='}'
aws ssm put-parameter \
--cli-input-json "${json_params}"