Get-Parameter with ssm-iot-gg user

Question

I a have been researching the use of AWS secrets manager in combination with Parameter Store in order to get secrets on my edge devices. This will allow me to move my secrets out of my .env-files in git and allow for much easier rotation of credentials. In addition I would like to have the ssm-iot-gg aws user as the only aws user on the edge device. I have a few questions though

1. When running the get-parameter cli call I get an error: \
Command:  `aws ssm get-parameter --profile ssm-iot-gg --name "/aws/reference/secretsmanager/" --region eu-west-1 --with-decryption --output json` \
Error: `An error occurred (ValidationException) when calling the GetParameter operation: An error occurred while calling one AWS dependency service.` \
The ssm-iot-gg user is defined under ~/.aws/credentials with `aws_access_key_id`, `aws_secret_access_key` and a `aws_session_token` all pointing to a specific IAM Role I created for the purpose.

2. Is it possible (if I fix the problem above) to revoke access from a single ssm token? In that case my procedure for breaches would be: \
a. Revoke access from the breached edge device \
b. Rotate all credentials in case the hacker fetched any of them

Looking forward to getting some feedback on this :)

Answer

Hi, is your CLI profile properly authorized to access the KMS key (you do not mention it but I guess that you have one) protecting your secret and to access the secret itself? That may be the cause of the issue. So, try to grant wide authorizations Action:* and Resource:* for both KMS and SM to you CLI profile to see if issue disappear. And then, tighten Action and Resource back to least privilege.

Hope it helps!

Didier

Hope it helps!

Didier

Get-Parameter with ssm-iot-gg user

相關內容