Protecting AWS credentials for dynamic config

wesley-staples · December 23, 2020, 7:15pm

I would like to use the dynamic config feature with aws-ssm. My question is how do a secure the aws credentials being used? For testing I used waypoint config source-set -type=aws-ssm -config="secret_key=ABC123". How secure is this? I was able to run config source-get and see the secret key. I was also able to do so on the waypoint server itself.

I tried using the -config=“profile=myprofile” but that did not work. I’m assuming its because I ran that command from my workstation and the waypoint server nor docker container have an aws profile setup.

So I guess the question is how do I best manage the aws secrets needed to use the aws-ssm plugin? If it could somehow be gathered on the workstation where waypoint is being run that would be best.

mitchellh · January 9, 2021, 9:32pm

This will store the secret on the Waypoint server, on disk, unencrypted.

The ideal scenario would be to get an IAM profile where you’re deploying to. For example, it is possible with EKS to expose an IAM profile automatically in all workloads. The AWS-SSM dynamic config plugin can be configured to read an IAM profile.

Topic		Replies	Views
How to configure AWS-SSM to get Parameter Store Waypoint	1	647	June 1, 2021
Dynamic credentials with AWS Elasticsearch Vault	1	484	February 24, 2020
Enable secure access to secrets for AWS ECS containers using Terraform - ecs-secrets-manager module AWS	2	2520	September 20, 2022
What the right way to dms/password and secret manager? Terraform	0	1074	December 14, 2021
Solution around updating dynamic secret values generated from vault to secrets/Env. variable in AWS parameter store Vault	0	154	May 27, 2023

Protecting AWS credentials for dynamic config

Related topics