Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add prefix option to AWS SSM Parameter Store secret store implementation #2001

Closed
ostreek opened this issue Aug 23, 2022 · 2 comments · Fixed by #2043
Closed

Add prefix option to AWS SSM Parameter Store secret store implementation #2001

ostreek opened this issue Aug 23, 2022 · 2 comments · Fixed by #2043
Assignees
@ostreek
Milestone
v1.9

Comments

@ostreek
Copy link
Contributor

ostreek commented Aug 23, 2022

The problem

There is one AWS SSM Parameter Store per account/region, which is designed to organise parameters hierarchically. This differs from, for example, Azure Key Vault, which allows multiple vaults to be created. The key vault secret store implementation requires you to specify the vault to use.

Currently it's not possible to have more than one ssm parameter store secret store component, unless you use different accounts/regions, as they would all share the same secrets. Even if you just have one secret store, that has access to other SSM parameters that are unrelated to your application.

Describe the proposal

The SSM Parameter Store equivalent of specifying the Azure Key Vault to use would be to allow a prefix to be specified. This would be optional, and if not specified the component would behave as it does now.

Example

Given the following key:value parameters in SSM:

secretname:a
/store1/secretname:b
/store2/secretname:c

and the following component configurations:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: noprefix
  namespace: default
spec:
  type: secretstores.aws.parameterstore
  version: v1
  metadata:
    - name: region
      value: eu-west-2
    - name: accessKey
      value: AKIAYEXAMPLE
    - name: secretKey
      value: RrDlRQa791LOJEXAMPLE

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: store1
  namespace: default
spec:
  type: secretstores.aws.parameterstore
  version: v1
  metadata:
    - name: region
      value: eu-west-2
    - name: accessKey
      value: AKIAYEXAMPLE
    - name: secretKey
      value: RrDlRQa791LOJEXAMPLE
    - name: prefix
      value: /store1/

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: store2
  namespace: default
spec:
  type: secretstores.aws.parameterstore
  version: v1
  metadata:
    - name: region
      value: eu-west-2
    - name: accessKey
      value: AKIAYEXAMPLE
    - name: secretKey
      value: RrDlRQa791LOJEXAMPLE
    - name: prefix
      value: /store2/

I would expect these requests/responses

Request Response
http://localhost:3500/v1.0/secrets/noprefix/secretname {"secretname":"a"}
http://localhost:3500/v1.0/secrets/store1/secretname {"secretname":"b"}
http://localhost:3500/v1.0/secrets/store2/secretname {"secretname":"c"}
http://localhost:3500/v1.0/secrets/noprefix/%2Fstore1%2Fsecretname {"/store1/secretname":"b"}

I'm happy to work on this if it's agreed that this is the right approach.
@berndverst
Copy link
Member

LGTM. Just make sure the prefix metadata is optional so existing behavior can also be retained.

@yaron2
Copy link
Member

yaron2 commented Aug 24, 2022

LGTM

This was referenced Sep 1, 2022
Closed
Merged
@yaron2 yaron2 added this to the v1.9 milestone Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ostreek ostreek

Labels
None yet
Projects
None yet
Milestone
v1.9
Development

Successfully merging a pull request may close this issue.

Add prefix option to AWS SSM Parameter Store secret store component ostreek/components-contrib
3 participants
@berndverst @yaron2 @ostreek