Comments (8)
FYI: The parameters are encrypted with a PARAMETER_ARN
encryption context key. You should take advantage of this to restrict which ciphertext blobs can be decrypted, instead of allowing decryption of every ciphertext blob encrypted using the key.
Add this to the statement allowing decryption:
condition {
test = "StringLike"
variable = "kms:EncryptionContext:PARAMETER_ARN"
values = [
"arn:aws:ssm:${var.region}:${var.AccountID}:parameter/${var.ssm_prefix}.*",
]
}
from chamber.
HTH
data "aws_iam_policy_document" "ssm-read-policy-document" {
statement {
sid = "SSMDescribeParameters"
actions = [
"ssm:DescribeParameters",
]
resources = [
"*",
]
}
statement {
sid = "SSMGetParameters"
actions = [
"ssm:GetParameters",
]
resources = [
"arn:aws:ssm:${var.region}:${var.AccountID}:parameter/${var.ssm_prefix}.*",
]
}
statement {
sid = "KMSDecrypt"
actions = [
"kms:Decrypt",
]
resources = [
"${aws_kms_key.kms-key.arn}",
]
}
}
resource "aws_iam_policy" "STS-policy-SSM-read" {
name = "STS-SSM-read-${var.ssm_prefix}-${random_pet.random_pet.id}"
policy = "${data.aws_iam_policy_document.ssm-read-policy-document.json}"
}
data "aws_iam_policy_document" "ssm-manage-policy-document" {
statement {
sid = "SSMDescribeParameters"
actions = [
"ssm:DescribeParameters",
]
resources = [
"*",
]
}
statement {
sid = "SSMSetParameters"
actions = [
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
]
resources = [
"arn:aws:ssm:${var.region}:${var.AccountID}:parameter/${var.ssm_prefix}.*",
]
}
statement {
sid = "KMSEncrypt"
actions = [
"kms:Decrypt",
"kms:Encrypt",
]
resources = [
"${aws_kms_key.kms-key.arn}",
]
}
}
resource "aws_iam_policy" "STS-policy-SSM-manage" {
name = "STS-SSM-manage-${var.ssm_prefix}-${random_pet.random_pet.id}"
policy = "${data.aws_iam_policy_document.ssm-manage-policy-document.json}"
}
https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/
https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html
from chamber.
Commenting here as this seems to be the only attempt to document this (I am also searching around for the answer here).
Running chamber with similar permissions to those above, I get a message suggesting I should be granting the ssm:ssm:GetParametersByPath
permission to my resources, but aside from seeing that in the code, it doesn't seem to appear to be documented?
from chamber.
Have settled on:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:us-east-1:$MY_ACCOUNT:key/$MY_KMS_KEY"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/$APP_NAME/*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]
}
As my "secret access for chamber" policy. Seems to be working, and got rid of the "GetParametersByPath" deprecation warning I was getting too
from chamber.
That looks pretty good to me. I'd approve that PR ;)
from chamber.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from chamber.
This issue has been automatically marked stale
because it has not had any activity in the last 60 days. If no further activity occurs within 7 days, it will be closed. Closed does not mean "never", just that it has no momentum to get accomplished any time soon.
See CONTRIBUTING.md for more info.
from chamber.
Closing due to staleness. Closed does not mean "never", just that it has no momentum to get accomplished any time soon.
See CONTRIBUTING.md for more info.
from chamber.
Related Issues (20)
- Support camel-cased / snake-cased keys HOT 1
- `list` and `exec` on non-existent or inaccessible services fails silently on S3 KMS backend
- Chamber exec bash function HOT 1
- Add option to write the `value` from prompt if `value` is not provided
- Allow reading from and writing to plain text using secretsmanager backend HOT 4
- Add ability to deploy configs from the configuration file HOT 4
- CVE-2022-27664 - net/http in Go before 1.18.6 and 1.19.x before 1.19.1 HOT 2
- `write` allows for invalid shell variable creation HOT 2
- Security Scans flagging go-complier v1.13.15 HOT 3
- Bug Importing UPPER_CASE_KEYs HOT 3
- consider adding semantic version info in "version" subcommand HOT 4
- Issues with chamber and aws sso
- CVE-2023-24538 - Go Lang 1.19.6 Critical Vulnerability HOT 1
- Please add renovatebot or dependabot to keep dependencies updated HOT 1
- Please consider dropping support for older golang versions like go1.15 and go1.16
- Please consider using GetParameter(s) instead of GetParametersByPath HOT 2
- Logger writes to stdout, messing up output HOT 2
- Chamber is not working with recommended AWS SSO config that uses sso-session HOT 15
- CVE-2023-29404 - Go Lang Critical Vulnerability HOT 1
- Feature request: No clobber of existing environment variables HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chamber.