Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
RFC: Have CDK put SecureString type parameter values into SSM securely
See original GitHub issue- What is the current behavior? Currently there is no way to put a SecureSAtring type value into the System Manager Parameter store using CDK.
The only method to put a secure param in ssm is in the aws sdk. The only way to access aws sdk in cdk is some sort of custom construct. Anything you inject into the aws custom component shows up in the template. If you use a custom component with a seperate lambda in a zipped asset, you still have to pass the value. That also shows up in the template.
Using -c secret_value=donttellanyone! , app.node.setContext(...);
or
new cdk.CfnParameter(app, 'SomParam', {
description: 'Use to pass a hidden value',
noEcho: true,
default: "some hidden value"
})
is not a viable solution either.
- What is the expected behavior (or behavior of feature suggested)?
Have some type way to get CDK to put a SecureString type parameter values into SSM securely. The best way to do this would need some sort of design discussion. I realize this feature is not supported in CF. They only have the ability to do this with a non secure string.
- What is the motivation / use case for changing the behavior or adding this feature?
My ask is because one of the reasons I have chosen CDK as an infrastructure solution is because I want developers to be able to support the infrastructure architecture and add the code to the app source.
Although folks tend to use the aws sdk directly to do this, which is also what is currently being advised by the cdk team, I don’t want to add the complexity of more bash / cli commands. If I wanted a pure CF abstraction solution I would use something like the serverless framework.
I know I can still use the nodejs aws sdk but I would still be running it via a cli script. I can create lots of cool cli node.js scripts, add them to npm commands, then still use the serverless framework.
I think one of the great things about CDK is it’s infrastructure as CODE. Not infrastructure as cli commands or yaml.
Putting SecureString type parameter values into SSM is, to me, an infrastructure task and IMNSHO I would love to see it handled securely CDK!
Please let me know your thoughts
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Our current stance is that the CDK doesn’t handle secrets. Secrets can be stored in SSM using the AWS CLI and then consumed from your CDK app by ARN/name. Closing for now.
Yes, SSM SecureStrings aren’t supported everywhere. SecretsManager Secrets are supported everywhere, so those would be recommended (though they are more expensive, unfortunately).
As for the reason why CDK doesn’t write those secrets for you… we considered it but decided that handling user’s secrets would be a responsibility that would eat a lot of engineering time to do properly, and we didn’t want to spend that time at that point in time.