Search code examples
htmlamazon-web-servicesaws-ssm

AWS SSM Parameter Store: How can I edit multi-line "SecureString" values using the console?

Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:

property1=value1
property2=value2
property3=value3

(I am aware of the 4K size limit, it's fine.)

This works well, for normal String type parameters that store non-sensitive information like environment configuration, but I'd also like to do similar for secrets using the SecureString parameter type.

The problem is that I can't edit the parameter value in the console because it's using a HTML input field of type="password" that doesn't handle newlines.

The multi-line value works fine with the actual parameter store backend - I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.

But I can't edit them using the console. This is a problem because the whole point of using a SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).

There's a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks - I'm just trying to find out if there's a way around this using the console?

Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a "password" type field? I'm using Chrome, but I'd be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).

EDIT

After posting this question, AWS notified me there was a whole new "AWS Systems Manager" UI, but it still has the same problem - I tried the below browser hacks on this new UI, but no luck.

Failed browser hack attempt 1: I tried opening the browser console, running document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injected, but the newline was filtered out.

Failed browser hack attempt 2: I tried using the browser inspector to change the element to a TextArea and then typed in two lines of input and clicked save, but that didn't set the value at all.

Solution

  • In the end, I decided the answer to this question is "don't do that". Not that I would've wanted to hear that when I was trying to make it work.

    You should use a separate SSM param per secret for these reasons:

    • ability to grant permissions at fine grained level; e.g. you have an API password for calling your service, and a DB password for the service talk to a DB - if you store them in the same secret you couldn't only grant access to the API password.
    • ability to track key access separately - the SSM access logs can only tell you that the target machine/user accessed the SSM param at that time, it won't be able to tell you which secret was accessed
    • ability to use separate KMS keys to encrypt

    Just watch out for the fact that you can only request a max of 10 SSM params at a time.