pythonamazon-web-servicesamazon-ec2boto3aws-ssm

How to correctly/safely access parameters from AWS SSM Parameter store for my Python script on EC2 instance?


I have a Python script that I want to run and text me a notification if a certain condition is met. I'm using Twilio, so I have a Twilio API token and I want to keep it secret. I have it successfully running locally, and now I'm working on getting it running on an EC2 instance.

Regarding AWS steps, I've created an IAM user with permissions, launched the EC2 instance (and saved the ssh keys), and created some parameters in the AWS SSM Parameter store. Then I ssh'd into the instance and installed boto3. When I try to use boto3 to grab a parameter, I'm unable to locate the credentials:

# test.py
import boto3

ssm = boto3.client('ssm', region_name='us-west-1')

secret = ssm.get_parameter(Name='/test/cli-parameter')
print(secret)

# running the file in the console
>> python test.py
...
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

I'm pretty sure this means it can't find the credentials that were created when I ran aws configure and it created the .aws/credentials file. I believe the reason for this is because I ran aws configure on my local machine, rather than running it while ssh'd into the instance. I did this to keep my AWS ID and secret key off of my EC2 instance, because I thought I'm supposed to keep that private and not put tokens/keys on my EC2 instance. I think I can solve the issue by running aws configure while ssh'd into my instance, but I want to understand what happens if there's a .aws/credentials file on my actual EC2 instance, and whether or not this is dangerous. I'm just not sure how this is all supposed to be structured, or what is a safe/correct way of running my script and accessing secret variables.

Any insight at all is helpful!


Solution

  • I suspect the answer you're looking for looks something like:

    1. Create an IAM policy which allows access to the SSM parameter (why not use the SecretStore?)
    2. Attach that IAM policy to a role.
    3. Attach the role to your EC2 instance (instance profile)
    4. boto3 will now automatically collect an AWS secret key, etc.. from the meta data service when it needs to talk to the parameter store.