Store Serverless Application Secrets in AWS Systems Manager Parameter Store


Almost every software application requires a way to store environment or application specific information. Many among them store sensitive data and even use different ways to encrypt them. Some teams strive to externalize this data with encryption at the same time making every attempt to make it easy for the application to use this data in a safe and secure way. With internet-facing serverless applications, you want to be extremely diligent in protecting your assets.

One example of configuration data is AWS Lambda environment variables. While it is easy to setup and use, each environment variable has to be re-defined for each function that needs it. Externalizing that variable to the parameter store can help centralize your dependencies and also make it more secure if needed.

Another example is say S3 bucket names in your application code. It is easier to store them in the parameter store than say, application property or environment configuration files.

There are many approaches to secrets management and it ultimately comes down to your requirements. You can find a few solutions in the marketplace, the most prominent being HashiCorp Vault. Some enterprises roll their own utilities to solve this problem.


Enter AWS System Manager Parameter Store

I chose to look at AWS Systems Manager Parameter Store as its probably the most easiest to get started with and if your applications are hosted on the AWS infrastructure, its  a no-brainer. The Parameter Store provides secure, hierarchical storage for secrets management like passwords, database strings, resource urls and API Keys. You can store values as plain text or encrypt them using the AWS Key Management Service. You can import your own keys to the KMS service to encrypt sensitive data.

Parameter Store offers many benefits and features, but the following are worth noting:

  • Parameter names can be modeled as “paths” or namespaces to provide a single store to group different types of use cases.
  • Store any configuration data securely in an isolated environment using AWS KMS service for encryption
  • Integrated Parameter change history
  • Tag parameters  for even better organization
  • Fine-grained access control using IAM policies if required
  • And, free to use !

Exploring the Console

We will see how easy it is to use this service to store plain text strings and encrypted strings. The service also allows you store a string list. All parameter data can then be programmatically accessed via the AWS API

Let’s get started with using this free service in your application by first logging in to your console and opening the AWS Systems Manager.

Param Store Link
Create a new Parameter. You will see the screen as shown below:

Param Store Create New
Observe that the parameter is a simple key/value pair. You can store a simple string, plaintext or encrypted or a list of strings. Provide a name, value and you are done. If you need to store encrypted data, select the ‘SecureString’ option. You can also group parameters by using filesystem path-like syntax. For eg.,

Param Store Create New
You will be asked to provide a KMS key. You can opt for the default key provided by AWS or upload your own in KMS. Either way, the value you enter will be encrypted at rest.

API Review

Let’s look at the API to get a sense of what you can do with this service:

List all parameters in the service, values returned can be limited by providing a number in MaxResults option.
Get information about one or more parameter(s) by using the parameter name.

Retrieve parameters in a specific hierarchy.

List parameter history for the requested parameter
Add one or more parameters to the system.
The parameter values returned by the api are in the following format;

Parameter : { Name": "string",
   "Type": "string",
   "Value": "string",
    "Version": number

A Simple Example using Angular 5

Let’s use this api in an Angular 5 application. Create a new application using the Angular-CLI. If you want to, you can download the sample application.

Authenticate with the AWS service in the ngOnInit call like:

const creds = new AWS.Credentials('<YOUR ACCESS KEY ID', 'YOUR SECRET ACCESS KEY');
   const ssm = new SSM(
         region: 'us-east-1',
         endpoint: '',
         credentials: creds

Of course, you don’t want to do authenticate with the service as above. This is for demo purpose only. In the real world, you are already authenticating with Cognito, Auth0, Google etc.
To get a plain text parameter, use

const params = {
     'Name': 'testCompanyParameter',
     'WithDecryption': false
   ssm.getParameter(params, (err, data) => {
     if (err) {
         console.log('Error viewing your parameters: ' + err);
     } else {
       this.unsecParm = data.Parameter;

To get a secure parameter, change the ‘WithDecryption’ attribute to true.
To get parameters grouped by delimiter ‘/app1’

const params3 = {
 'Path': '/app1',
 'WithDecryption': false
ssm.getParametersByPath(params3, (err, data) => {
 if (err) {
     console.log('There was an error viewing your parameters: ' + err);
 } else {
   const parmArray = data.Parameters;
   parmArray.forEach ( (oneParm) => {

Similarly, if you want to see the entire history of a parameter, use this:

const params4 = {
 'Name': '/app1/myPathParam1',
 'WithDecryption': false
ssm.getParameterHistory(params4, (err, data) => {
 if (err) {
     console.log('There was an error viewing your parameters: ' + err);
 } else {
   const parmArray = data.Parameters;
   parmArray.forEach ( (oneParm) => {

The result?

Param Store Result
Download Sample Application
1. Unzip the file
2. run npm install
3. run ng serve
Parameter Store Demo

Auditing Access

Parameter Store data access can be logged using CloudTrail. Besides identifying user and timestamp information, it also help audit data usage frequency and unused data. This can then be used to clean up unused parameters or tighten your security controls by updating the IAM policies on the associated user.



AWS Systems Manager Documentation
Parameter Store Javascript API