GitHub Action
AWS Parameter Store Injector
This GitHub Action allows you to inject parameters into AWS Systems Manager Parameter Store. It was created to solve the problem of secret management when using infrastructure as code.
Terraform requires extra work in order to secure your state file because the secret is stored as plain text. This would require you to encrypt/decrypt the statefile when you are modifying state.
CloudFormation requires you to store it before you can reference it.
This action helps solve this problem by allowing the user to provide the path and the value that wants to be stored in a GitHub Action and the value can be passed in as a secret from the github actions. Pair this with the Environments
feature and you can have a GitHub Action CI that also manages secrets.
Required The AWS Region to use.
Required The value to be stored in the SSM Parameter Store Path.
Required The value to be stored in the SSM Parameter Store Path.
Optional A description of the value being inserted into SSM.
Optional The value type to store the SSM Parameter (String | StringList | SecureString). Default SecureString
.
Optional To overwrite the value of the SSM Parameter when inserting. Default true
.
Optional The AWS KMS Key ARN to use to encrypt the key. Default uses the AWS Provided KMS Key ID .
name: store_secret
on:
pull_request:
branches:
- master
jobs:
add_to_ssm:
runs-on: ubuntu-latest
name: Store a Secret
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
- name: Add hello SecureString to SSM
uses: dwardu89/aws-ssm-parameter-store@latest
with:
ssm-path: "/dwardu89/hello"
ssm-value: ${{ secrets.WORLD }}
aws-region: eu-west-1
ssm-value-type: "String"
In order to use this, your AWS User/Role must allow the ssm:PutParameter
action.
e.g.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PutSSMParameters",
"Effect": "Allow",
"Action": "ssm:PutParameter",
"Resource": ["arn:aws:ssm:eu-west-1:1234567890:parameter/dwardu89/hello"]
}
]
}
To test this action locally, you can use act
- Install
act
- Make your AWS credentials accessible as variables on your command line.
export AWS_ACCESS_KEY_ID="wasd"
- Run the command below.
act -j local_test_store_ssm --secret AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID --secret AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY --secret SSM_PATH="/joshghent/helloworld" --secret SSM_VALUE="hello"
Original code by @dwardu89