AWS Parameter Store

The parameter store is painful to navigate in the AWS console. AWS has provided us with the CLI, but these commands may be just as opaque. I’ve written a few helper functions.

I’m assuming you are using hierarchical parameters (as one should), have installed both the AWS CLI and the jq utility, and in fact have access to the parameter store.

In my .profile on my Mac, I source bin/functions wherein I define several functions for my environment. You might source this file from .bashrc, depending on your platform. To source the file, start your command with a period, a space, and the path to your file, e.g., . bin/functions. I suppose you could define these functions directly in .profile, but I like to keep that file as clean as possible.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function aws-set-profile() {
export AWS_DEFAULT_PROFILE=$1
export AWS_PROFILE=$1
export TF_VAR_turbot_account_id=$1
}

function aws-get-parameters() {
aws ssm get-parameters-by-path --recursive --with-decryption --path "/$1/$2" --query "Parameters[*].{Name:Name,Value:Value}"
}

function aws-get-values() {
aws-get-parameters $1 $2 \
| jq --raw-output '.[]| [.Name, .Value] | join(": ")' \
| grep -i $3
}

aws-set-profile

I work with a number of AWS accounts and use named profiles to switch between each account. You can set up a named profile using the command aws configure --profile <name> (without the angled brackets). I then set my environment to use one of these profiles by calling the above function aws-set-profile <name>. The TF_VAR_turbot_account_id variable is for use with terraform; if you do not know, this may not apply to you.

aws-get-parameters

The aws-get-parameters function wraps a call to the CLI to return a refined set of information, i.e., each parameter name and decrypted value. The function as written assumes parameters are defined using the construct of /service/environment/parameter, and your call would look like aws-get-parameters <service> <env>. For example, if you want all of the parameters for the widget service in your dev environment, your call would be aws-get-parameters widget dev. If you are using a different construct, you will need to modify this function accordingly.

The --recursive flag tells the CLI to return all parameters within the hierarchy of the path you are inspecting.

The --with-decryption flag tells the CLI to decrypt all encyrpted parameters.

the --path flag defines the hierarchy to inspect. All parameters below this hierarchy will be returned.

The --query flag tells the CLI which attributes to return for each parameter. In this case, we are returning the Name and Value attributes.

The format of my result set is:

1
2
3
4
5
6
7
8
9
10
[
{
"Name": "/widget/dev/foo",
"Value": "bar"
},
{
"Name": "/widget/dev/fizz",
"Value": "buzz"
}
]

aws-get-values

For the many parameters I may have defined in a given environment, I may not want to scroll through each one. This function uses jq to format the list of parameters so that the name and value are on a single line. That result set is then filtered using the grep command. The format of my call is aws-get-values <service> <env> <filter>. This requires that you have some familiarity with your environment. For example, I know that my widget service uses spring boot. If I need to find the RDS endpoint, I might call aws-get-values widget dev datasource which will score a hit on spring.datasource.url.

The format of my result set is:

1
/widget/dev/foo: bar