Protecting AWS credentials for dynamic config

I would like to use the dynamic config feature with aws-ssm. My question is how do a secure the aws credentials being used? For testing I used waypoint config source-set -type=aws-ssm -config="secret_key=ABC123". How secure is this? I was able to run config source-get and see the secret key. I was also able to do so on the waypoint server itself.

I tried using the -config=“profile=myprofile” but that did not work. I’m assuming its because I ran that command from my workstation and the waypoint server nor docker container have an aws profile setup.

So I guess the question is how do I best manage the aws secrets needed to use the aws-ssm plugin? If it could somehow be gathered on the workstation where waypoint is being run that would be best.

This will store the secret on the Waypoint server, on disk, unencrypted.

The ideal scenario would be to get an IAM profile where you’re deploying to. For example, it is possible with EKS to expose an IAM profile automatically in all workloads. The AWS-SSM dynamic config plugin can be configured to read an IAM profile.