AWS vault as central repository for storing credentials
AWS Systems Manager Parameter Store is a secure, scalable, and hierarchical storage which can be used to store passwords and other configuration parameters. One of our clients decided to use AWS parameter store as the central parameter repository in our application. WSO2 carbon is also shipped with secure vault but it was client requirement to use AWS vault as central repository for storing credentials.
Solution
WSO2 doesn’t provide a direct way to call AWS parameter store. So as a solution for retrieving parameters, an API is exposed via WSO2 API Manager, which takes the name of the configuration parameter and then calls the backend service, implemented as a Servlet. It’s the Servlet code logic, which accesses the AWS parameter store and returns the value of configuration parameter all the way back to the calling point.
Servlet code makes use of AWS SDK for java, in order to get and decrypt the parameters from the parameter store. The servlet is deployed as a .war file and hosted in WSO2 API Manager’s Gateway node. The parameter store accessing operations are protected with OAuth2 authorization
Implementation steps
- AWS java SDK was used in implementing the solution. A servlet was created which called the AWS APIs and was deployed as war file in WSO2 API Manager’s gateway node. Further servlet was exposed as REST API using WSO2 API Manager and protected with standard OAUTH2.
- AWS Java SDK dependency is added in the pom.xml of the ssm-java-client-servlet
<dependencies>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>ssm</artifactId>
<version>2.15.26</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
- Servlet code reading the request parameter and passes to SsmManager
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = request.getParameter("param");
logger.info("Get param name: " + param);
String fullParamPath = buildPath(param);
logger.info("Full parameter path: " + fullParamPath);
SsmManager manager = new SsmManager();
String value = manager.get(fullParamPath);
String json = buildJson(param, value, fullParamPath);
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
- SsmManager invokes AWS API, making use of AWS Java SDK
try (SsmClient client = provider.getClient()) {
GetParameterRequest getParameterRequest = GetParameterRequest
.builder()
.name(parameter)
.withDecryption(Boolean.TRUE)
.build();
GetParameterResponse response = client.getParameter(getParameterRequest);
return response.parameter().value();
} catch (ParameterNotFoundException e) {
return defaultValue;
}
Deployment steps
- Servlet and other supporting code which is talking to AWS parameter store, is packaged as a .war file (ssm-api-1.0.war) and deployed in API Manager’s following location
- APIM_HOME/repository/deployments/server/webapps
- In addition to that, API definition to be created and deployed via publisher portals
- Clients who wants to connect with the parameter store, invoked the API using basic Oauth2 and the name of the parameter., In case of success parameter name value pair in JSON format is returned