How to Use SSM Parameter Store with boto3

Environment variables play an important role in modern applications and using an external parameter service comes in handy to manage these variables. It is a better choice to save these parameters in a separate service rather than storing in your applications. At this point AWS offers us a managed secure storage option with Parameter Store. The AWS System Manager Parameter Store provides a central storage to help you manage and hierarchically organize your data.

In the AWS System Manager Parameter Store you can store your data in plain text or encrypted according to your needs. You can easily change the parameters you create, eliminating the need to update your data from your source code. Use permissions for parameters are managed through IAM policies. Parameters can be tagged and versioned. With these features, you can manage your parameters more easily.

In this article, I will show you how to use the Parameter Store using the boto3 library.

Using AWS System Parameter with boto3

We have learned the properties of the parameters and we can move on to how we can use them. These are permissions we will need:

    {
        "Version": "2022-07-28",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ssm:PutParameter",
                    "ssm:DeleteParameter",
                    "ssm:GetParameterHistory",
                    "ssm:GetParameter",
                ],
                "Resource": "arn:aws:ssm:us-east-2:accountID:parameter/*"
            },
        ]
    }

Let's look at how we create our parameters using the boto3 library, how we get it, how we delete it through an example.

We are using the SSM client to connect to the AWS SSM Parameter Store using boto3. We will create a parameter in our storage by adding the name, value and type of our parameter to the put_parameter method:

    import boto3
    ssm_client = boto3.client('ssm')
    ssm_client.put_parameter(Name="environment", Value="dev", Type="String")

    {u'Tier': u'Standard', u'Version': 1, 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': 'c15b124f-65ff-4fdd-9fdb-04d31485b3e1', 'HTTPHeaders': {'x-amzn-requestid': 'c15b124f-65ff-4fdd-9fdb-04d31485b3e1', 'content-length': '31', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Tue, 02 Aug 2022 09:04:30 GMT', 'content-type': 'application/x-amz-json-1.1'}}}

Perfect! We created our parameter. We can check the parameter on the AWS console.

Everything seems fine. It’s time to take a look at the contents of variable:

After examining the parameter we created on AWS, we can access this parameter using boto3. We can get the parameter details and value easily with the get_parameter method.

    ssm_client.get_parameter(Name="environment")

    {u'Parameter': {u'Name': u'environment', u'DataType': u'text', u'LastModifiedDate': datetime.datetime(2022, 8, 2, 12, 4, 30, 300000, tzinfo=tzlocal()), u'Value': u'dev', u'Version': 1, u'Type': u'String', u'ARN': u'arn:aws:ssm:us-east-2:accountID:parameter/environment'}, 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '903c5680-d88a-4eae-9d20-dd102f758996', 'HTTPHeaders': {'x-amzn-requestid': '903c5680-d88a-4eae-9d20-dd102f758996', 'content-length': '195', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Tue, 02 Aug 2022 09:08:15 GMT', 'content-type': 'application/x-amz-json-1.1'}}}

To delete the parameter we created:

    import boto3
    ssm_client = boto3.client('ssm')
    ssm_client.delete_parameter(Name="environment")

    {'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '4e5f2101-1150-420d-8c72-f94c3f6cfaf3', 'HTTPHeaders': {'x-amzn-requestid': '4e5f2101-1150-420d-8c72-f94c3f6cfaf3', 'content-length': '2', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Thu, 28 Jul 2022 16:22:40 GMT', 'content-type': 'application/x-amz-json-1.1'}}}

Secure String Type

We might need to store sensitive values such as passwords or connection strings securely. Parameter Store has a solution for that. We can choose the parameter type as SecureString. In this case, Systems Manager uses AWS KMS to encrypt parameter value.

    ssm_client.put_parameter(Name="AccessKey", Value="123456789", Type="SecureString")

    {u'Tier': u'Standard', u'Version': 1, 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '00b4413a-258c-4c63-8480-5466ed7b4a2b', 'HTTPHeaders': {'x-amzn-requestid': '00b4413a-258c-4c63-8480-5466ed7b4a2b', 'content-length': '31', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Sat, 16 Jul 2022 10:25:47 GMT', 'content-type': 'application/x-amz-json-1.1'}}}

Then you can access parameter with boto3.

    ssm_client.get_parameter(Name="AccessKey", WithDecryption=True)

    {u'Parameter': {u'Name': u'AccessKey', u'DataType': u'text', u'LastModifiedDate': datetime.datetime(2022, 7, 16, 13, 25, 47, 636000, tzinfo=tzlocal()), u'Value': u'123456789', u'Version': 1, u'Type': u'SecureString', u'ARN': u'arn:aws:ssm:us-east-2:accountID:parameter/AccessKey'}, 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '04127def-460e-4eca-a3b0-d3e43d03a3c5', 'HTTPHeaders': {'x-amzn-requestid': '04127def-460e-4eca-a3b0-d3e43d03a3c5', 'content-length': '205', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Sat, 16 Jul 2022 10:30:42 GMT', 'content-type': 'application/x-amz-json-1.1'}}}

We can see our parameter with the help of WithDecryption. Without this option, the value is encrypted by default.

Versioning and Tagging

You can make changes on your SSM parameters. Your parameter is versioned for each change you make. It is very helpful to be able to see when and who made the change. Thus, you can easily make your corrections by updating the changes made. While using the put_parameter method, you can version with the help of 'Overwrite'.

    ssm_client.put_parameter(Name="environment", Value="prod", Type="String", Overwrite=True)
    
    {u'Tier': u'Standard', u'Version': 2, 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': 'c3f49ee1-d36d-490c-8b7d-89b131dfb84c', 'HTTPHeaders': {'x-amzn-requestid': 'c3f49ee1-d36d-490c-8b7d-89b131dfb84c', 'content-length': '31', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Tue, 02 Aug 2022 09:09:33 GMT', 'content-type': 'application/x-amz-json-1.1'}}}

If you don’t use ‘Overwrite’ for an existing parameter, it will try to create parameters and you will see an error message because that parameter already exists.

    import boto3
    ssm_client = boto3.client('ssm')
    ssm_client.put_parameter(Name="environment", Value="prod", Type="String")

    Traceback (most recent call last):
    File "", line 1, in 
    File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 357, in _api_call
        return self._make_api_call(operation_name, kwargs)
    File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 676, in _make_api_call
        raise error_class(parsed_response, operation_name)
    botocore.errorfactory.ParameterAlreadyExists: An error occurred (ParameterAlreadyExists) when calling the PutParameter operation: The parameter already exists. To overwrite this value, set the overwrite option in the request to true.

To see all the values ​​you have versioned, all you have to do is use the get_parameter_history method.

    ssm_client.get_parameter_history(Name="environment")

    {'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '10aecb11-c1b0-43a4-9e99-dfdad65a048e', 'HTTPHeaders': {'x-amzn-requestid': '10aecb11-c1b0-43a4-9e99-dfdad65a048e', 'content-length': '457', 'server': 'Server', 'connection': 'keep-alive', 'date': 'Tue, 02 Aug 2022 09:11:34 GMT', 'content-type': 'application/x-amz-json-1.1'}}, u'Parameters': [{u'Name': u'environment', u'DataType': u'text', u'LastModifiedDate': datetime.datetime(2022, 8, 2, 12, 4, 30, 300000, tzinfo=tzlocal()), u'Labels': [], u'Value': u'dev', u'Version': 1, u'LastModifiedUser': u'arn:aws:iam::accountID:user/aylin', u'Policies': [], u'Tier': u'Standard', u'Type': u'String'}, {u'Name': u'environment', u'DataType': u'text', u'LastModifiedDate': datetime.datetime(2022, 8, 2, 12, 9, 33, 46000, tzinfo=tzlocal()), u'Labels': [], u'Value': u'prod', u'Version': 2, u'LastModifiedUser': u'arn:aws:iam::accountID:user/aylin', u'Policies': [], u'Tier': u'Standard', u'Type': u'String'}]}

You can add one or more tags for your parameters. Tagging makes it easy for you to group and query parameters easily.

What Is The Difference Between Secrets Manager and Parameter Store?

• AWS provides us with the AWS Secrets Manager and Parameter Store services to store our application configurations. Depending on the needs of your application, which service you choose may vary.

• You can automatically rotate data on a predetermined schedule in AWS Secrets Manager. However, you will have to manually update the values ​​in the Parameter Store according to your need.

• In Secrets Manager, you can store confidential information that needs to be encrypted, because every value you create will be encrypted. You cannot store data in plain text in Secrets Manager. However, in the Parameter Store, you can store both the plain text and encrypted data.

• The Parameter Store can store up to 4096 characters for each value. Secrets Manager can store up to 64Kb of secret size.

• The SSM Parameter Store has a cost advantage and you can store up to 10,000 parameters and you won't be billed for your usage in standard mode. Advanced parameters are priced per month of storage and API interaction. In Secrets Manager, pricing is based on the number of secrets stored and API calls made.

• AWS Secrets Manager allows you to replicate data across multiple regions for extra security. But the Parameter Store does not support multi-region replication.

So we have learned about features of a great service and how to use it. I'm sure you will love it when you experience the convenience and advantages of the Parameter Store.
Don’t forget to give it a try!