Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
|PyPI version|
Loads AWS SSM Parameter Store parameters into local system environment variables and then executes your application so it has access to those environment variables.
This was inspired by the Twelve-Factor App principle Store config in the environment <https://12factor.net/config>
__.
The intended use case is to be used as the ENTRYPOINT to Docker containers which run in AWS where the application gets its configuration from SSM and stores it in the environment, then starts the application, which can reference these values through the environment.
.. code:: shell
pip install ssm-starter
SSM-Starter is installed as a command line utility and can be run as:
.. code:: shell
ssm-starter --ssm-name /dev/my-app/ --command /bin/bash run-app.sh
Regarding format of ssm-name and pathing, note that all of the following are equivalent:
.. code:: shell
ssm-starter --ssm-name /dev/my-app --command /bin/bash run-app.sh
ssm-starter --ssm-name /dev/my-app/ --command /bin/bash run-app.sh
AWS_ENV=dev ssm-starter --ssm-name my-app --command /bin/bash run-app.sh
Let's say you have the following three AWS SSM Parameters and their values.
+------------+----------+ | SSM Path | Value | +============+==========+ | /dev/my-ap | abc123 | | p/MYAPP_T | | | EST_VAR | | +------------+----------+ | /dev/my-ap | Server=m | | p/MYAPP_D | yserver; | | B_CONN_S | Database | | TRING | =mydb;Ui | | | d=myuid; | | | Pwd=secr | | | et; | +------------+----------+ | /dev/my-ap | xyz789 | | p/MYAPP_T | | | EST_TWO | | +------------+----------+
Running ssm-starter with the ssm-name "my-app" and environment variable AWS_ENV set to "dev" result in the following:
.. code:: shell
$ export AWS_REGION=us-east-1
$ export AWS_ENV=dev
$ ssm-starter --ssm-name my-app --command /bin/bash run-app.sh
Reading parameters from SSM path: /dev/my-app/
Read 3 parameters from SSM
MYAPP_TEST_VAR - setting value from ssm: abc123
MYAPP_DB_CONN_STRING - setting value from ssm (SecureString, 51 chars)
MYAPP_TEST_TWO already in environment
/bin/bash run-app.sh
After this runs these variables are in the environment and accessible to the application. Notice that if the SSM parameter was stored as a SecureString, the value is not echoed to stdout, and that if an environment variable already exists with that name, it is not overwritten. So if an environment variable is directly passed into the container through "docker run -e" or given to it by an orchestrator such as if it is defined in the task definition for ECS, that will take precidence.
--ssm-name
The name prefix of your application. If you have an
environment variable AWS_ENV present, it will additionally prefix this
with that. Multiple --ssm-name
arguments can be provided in which
case SSM starter will read all parameters from each SSM path provided.
--command
The command to execute after loading the SSM variables
into the environment. The command does not need to be enclosed in quotes
but this should be the last argument as all arguments after this are
assumed to be part of the command to execute.
--abort-if-duplicates
This optional argument will instruct SSM
Starter to abort (non-zero exit code) if any duplicate parameter names
are found. This would only occur if multiple --ssm-name
arguments
are provided. The default behavior is to skip any encountered
duplicates, which also logs a warning message.
--overwrite-if-duplicates
This optional argument will instruct SSM
Starter to overwrite if any duplicate parameter names are found, so the
last parameter "wins". This would only occur if multiple --ssm-name
arguments are provided. The default behavior is to skip any encountered
duplicates, which also logs a warning message.
AWS_ENV
(environment variable) If present, this will be prefixed
before the supplied ssm-name. If you have a separate AWS accounts for
each environment, you will not need this. If however you are sharing a
single AWS account for multiple environments (dev, stage, prod, etc)
then this provides a way to partition the SSM variables.
AWS_REGION
(environment variable) The AWS_REGION environment
variable is expected to be present. Region is set by this environment
variable rather than though an argument to ssm-starter so that the same
configuration can be promoted to multiple environments that may be in
different regions. If only AWS_REGION is set, ssm-starter will also set
AWS_DEFAULT_REGION to the same value. If both are set and in conflict,
ssm-starter will set both to the value in AWS_REGION.
.. code:: shell
docker build -t billtrust/ssm-starter:build -f Dockerfile.buildenv .
pip install iam-docker-run --user
# specify a valid IAM role name which has full permissions to SSM
export IAM_ROLE_NAME="role-ops-developers"
# specify a local AWS profile name which has access to assume the above IAM role
export AWS_PROFILE_NAME="dev"
# this executes the integration test using python scripttest in the context of
# the specified IAM role which has access to SSM
iam-docker-run \
--image billtrust/ssm-starter:build \
--aws-role-name $IAM_ROLE_NAME \
--profile $AWS_PROFILE_NAME \
--host-source-path . \
--full-entrypoint "make test"
For the maintainer - to publish an updated version of ssm-search, increment the version number in version.py and run the following:
.. code:: shell
docker build -f ./Dockerfile.buildenv -t billtrust/ssm-starter:build .
docker run --rm -it --entrypoint make billtrust/ssm-starter:build publish
At the prompts, enter the username and password to the Billtrust pypi.org repo.
MIT License
Copyright (c) 2018 Factor Systems Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
.. |PyPI version| image:: https://badge.fury.io/py/ssm-starter.svg :target: https://badge.fury.io/py/ssm-starter
FAQs
Read AWS SSM parameters into the environment, then start your app.
We found that ssm-starter demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.