By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Get-Parameter with ssm-iot-gg user

0

I a have been researching the use of AWS secrets manager in combination with Parameter Store in order to get secrets on my edge devices. This will allow me to move my secrets out of my .env-files in git and allow for much easier rotation of credentials. In addition I would like to have the ssm-iot-gg aws user as the only aws user on the edge device. I have a few questions though

  1. When running the get-parameter cli call I get an error:
    Command: aws ssm get-parameter --profile ssm-iot-gg --name "/aws/reference/secretsmanager/<name of secret>" --region eu-west-1 --with-decryption --output json
    Error: An error occurred (ValidationException) when calling the GetParameter operation: An error occurred while calling one AWS dependency service.
    The ssm-iot-gg user is defined under ~/.aws/credentials with aws_access_key_id, aws_secret_access_key and a aws_session_token all pointing to a specific IAM Role I created for the purpose.

  2. Is it possible (if I fix the problem above) to revoke access from a single ssm token? In that case my procedure for breaches would be:
    a. Revoke access from the breached edge device
    b. Rotate all credentials in case the hacker fetched any of them

Looking forward to getting some feedback on this :)

  • rePost-User-1317366
    9 months ago

    Hi Lasse, glad to see you resolved your issue. Just curious - could you describe the general use case here? Also, why can't you use Secrets Manager directly?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Systems ManagerAWS Secrets ManagerIAM PoliciesParameter Store
Language
English
lasse_bonner
asked 9 months ago302 views
1 Answer
0

Hi, is your CLI profile properly authorized to access the KMS key (you do not mention it but I guess that you have one) protecting your secret and to access the secret itself? That may be the cause of the issue. So, try to grant wide authorizations Action:* and Resource:* for both KMS and SM to you CLI profile to see if issue disappear. And then, tighten Action and Resource back to least privilege.

Hope it helps!

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
  • lasse_bonner
    9 months ago

    Ok, I tried adding the policies SecretsManagerReadWrite and AWSKeyManagementServicePowerUserto the role associated with the credentials, but it returns the same error. It is worth mentioning, that I have another set of credentials that return the secret just fine AND a third set that is not authorized and thus returns an apporiate "not authorized" error. It seems to be specific for the auto generated credentials (generated by installing the Systems Manager Green Grass component on the edge device). The only difference (beside roles and access level) seems to be that the ssm-iot-gg AWS credential set has a aws_session_token in addition to aws_access_key_id and aws_secret_access_key.

  • lasse_bonner
    9 months ago

    I managed to succeed. The trick was to manually add the ssm-iot-gg profile in the .aws/config file (this is not done by default by installing the green grass component for some reason).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content