Why use the AWS Parameter Store?
The Parameter Store is a great way to make your application less stateful and improve your ability to deploy across several environments. The parameter store has a few advantages over other methods of managing variables:
- Easy to update from a central interface
- Hierarchy structure
- Supports encryption to store secrets like passwords
- Supports versioning and rollback of parameters
- Allows access control, both for IAM users and roles
- Ability to audit parameter access using CloudTrail
- Supports throughput of 1,000 transactions per second (must be increased in your settings)
I choose parameters over environment variables because I can update the parameter in one location and the changes are instantly available to any code using the parameter.
Parameter Store Types
A parameter is a piece of data stored within the AWS Systems Manager Parameter Store. AWS provides no validation on any parameters (with one exception covered later).
There are three types of Parameter Store parameters (and a fourth kinda-weird bonus type).
- String
- StringList
- SecureString
String
Strings are exactly what you expect. Strings are any block of text such as Hello World, test, or wow this is a great blog post.
StringList
StringList is, again, rather intuitive. A StringList is a collection of strings separated by a comma. For example, Cat, Dog, Rabbit and Mercury, Mars, and Melons are two examples of string lists.
SecureString
SecureString is used for sensitive data like passwords and API Keys. Data stored in a SecureString parameter are encrypted using keys managed by the AWS Key Management Service. You should know that these parameters are free to use, but AWS will charge you for the Key Management Service as usual.
Key Differences b/w Secret Manager and Parameter Store.
Cost
Secrets Manager:
It is paid. The storage cost is $0.40 per secret per month and the API interaction cost is $0.05 per 10,000 API calls.
Parameter Store:
For Standard parameters, No additional charge for storage and standard throughput. API interactions cost $0.05 per 10,000 API calls for higher throughput.
Secrets Rotation
Secrets Manager:
It offers the ability to switch secrets at any given time and can be configured to regularly rotate depending on your requirements. It provides full key rotation integration with a few AWS services like RDS, Redshift, and DocumentDB. For other services, AWS allows you to write custom key rotation logic using an AWS Lambda function.
Parameter Store:
You can write your function that updates credentials managed by Parameter Store, and invoke it via a CloudWatch scheduled event or Event bridge.
Cross-account Access
Secrets Manager:
Secrets can be accessed from another AWS account. It is easier to share the secrets cross-accounts. This is useful if secrets are centrally managed from another AWS account or beneficial for use cases where a customer needs to share a particular secret with a partner.
Parameter Store:
Not supported.
Secret Size
Secrets Manager:
It can store up to 10KB secret size.
Parameter Store:
Standard Parameters can store up to 4096 characters (4KB size) for each entry, and Advanced Parameters can store up to 8KB entries.
Multiple Regions Replication
Secrets Manager:
It lets you easily replicate your secrets in multiple AWS Regions to support applications spread across those Regions as well as disaster recovery scenarios.
Parameter Store:
It doesn’t support cross-region replication out of the box.
Use Cases
Choose Secrets Manager if:
– You want to store only encrypted value and a super easy way to manage the rotation of the secrets. For instance, for organizations that have to be PCI compliant where the mandate is to rotate your passwords every 90d, AWS Secrets Manager makes that a very easy and seamless process.
Choose Parameter Store if:
– You want a cheaper option to store encrypted or unencrypted secrets.
DevOps Parts:
How to Create a Parameter in the System Manager Parameter Store
From AWS Console:
- Log in to AWS Console
- Go to System Manager
- Search Parameter Store in Left Menu
- Create Parameter
ETL Access Part
How do access the Parameter from the parameter Store in Python?
import boto3
import json
ssm = boto3.client("ssm", region_name="us-east-1")
response = ssm.get_parameters(
Names=['uniquename'],WithDecryption=True
)
loaded = response['Parameters'][0]['Value']
secret = json.loads(loaded)
loaded Secret is in direct, key-value pair to access the objects.
Costing of Parameter Store.
No cost of Parameter storage in the AWS Parameter Store until or unless you are using Advance Parameter which is not required in Our Case.
Leave a Reply