AWS Parameter Store

[00:00:00]
>> Erik Reinert: There we go. Five minutes. We have a database up and running, fully available, connectable. I've already even got the schemas in place to be able to run my application. Obviously we ran into some problems with setups and whatnot, but if you really look at the amount of effort and time put into doing this, it was a Docker file and creating a postgres instance on the Internet, not much effort at all.

[00:00:23]
Again, it's very startup focused. Okay, cool. So we've got our database. If we go back to our diagram here, the next thing is going to be App Runner and Parameter Store. So let's go ahead and get these set up. What we're going to do first is we're going to set up parameter store and then I'm going to go to SSM Systems Manager.

[00:00:51]
Once I click on Systems Manager, I'm going to go to parameter store. And if I type in again, if I did before, you'll see obviously I have tons of them because I use them for a lot of different applications and stuff. But if I type in fem, you'll see that these are going to be the three parameters that we are going to be creating.

[00:01:11]
Now again, I have them in previews just so that you guys can see what we're going to be doing. But this is effectively what we're going to want to do. And so what we're going to do is we're going to go ahead and click Create parameters. You're gonna type in like a URL fem-Fd-service/googleclientid, right?

[00:01:35]
So the idea here is this is key value storage, which basically means that the key is kind of like a URL that we're trying to navigate to the resource and the value will be the output of that, the client id, the client secret, and the URL that we just posted or created for postgres.

[00:01:55]
We're going to be copying and adding these all to ssm. So what I'm going to do is after I've got my name put in there, I'm going to click on secure string because I want to store it as an actual secured value. What's really nice about SSM and Secrets Manager is there's already encryption in place there.

[00:02:13]
You don't have to worry about rotating encryption keys and all of that. They have a really secure encryption platform, so you can lean on that. So I'm just going to say, use the KMS source of my current account and then just use the default alias SSM. You guys should all see this if not, it'll just ask you to create one.

[00:02:32]
But yeah, you should be able to use that. Then we just put in the value. I have my client. I think client IDs are fine to show. So let me go ahead and put this in here. I'm going to go ahead and copy this value and paste it in like this.

[00:02:47]
And then, I'm just gonna click create parameter. And so now if I do fem FD service and then slash. Whoops, there we go. You can see that now I have my Google client ID and I wanna do the exact same thing for the other two. So I'm gonna say, there we go, slash fem-fd.

[00:03:17]
And I can kind of come down here and use that as a quick click. And then Google Client Secret secure string. I move this off screen for a second, grab my secure string, paste that in there again, make sure you click secure string. It will show values unencrypted.

[00:03:46]
So be sure to click secure string, and then bring this over here. And then we'll do the same thing. I'll just use that Postgres URL, right? And then remember, when you copy and paste the postgres URL from the connect window, make sure to replace the your password section.

[00:04:12]
Otherwise it will not work. You will have to debug it and it will waste your time. You should see three in total just like that. You should have a client id, a client secret and a postgres URL. And you should populate those basically with the values that we had already.

[00:04:29]
So what's kind of nice too is you can now use this as reference. You don't have to worry about having a notepad open. And I do this a lot, too. This is why I like having UIs. I can even move quicker. It's like I'll just go to SSM and grab it real quick, you know.

[00:04:42]
So, yeah, finding solutions that help you is really the key here. So we've created our SSM parameters. Now the next thing we want to do is we want to set up a IAM policy. Now this is a little like out of left field, but this is something required to run App Runner.

[00:05:02]
If you go through the. If you wanna know more about App Runner, you just do AWS App Runner, Google it. Basically, they've got tons of documentation on how it works and how to set it up, but effectively I'm going to be taking you through a crash course on how to deploy web applications on App Runner.

[00:05:21]
One of the things we have to do before we actually run the application itself is we have to create an IAM role for it. Does anyone not know what I mean by that? What do I mean by creating an IAM role for the service I'm about to run?

[00:05:38]
>> Student: Need to give it permissions to execute whatever actions the service needs to execute.
>> Erik Reinert: Exactly, yeah. So Amazon Cloud's a really big platform. Maybe your product or service is working with S3, right. Maybe it's working with queues, maybe it's working with other things. We need to give the running container the ability to connect and talk with those things like we do locally.

[00:06:02]
So we created access keys and then put them in our shell and ran command with them. That's effectively what we're doing with our service. We're creating a role that says, hey, when you're communicating from this place, you have the permissions to do these things, and this is like a common.

[00:06:17]
If you don't know much about Amazon, this is like a very low level common thing that you'll do with pretty much on everything on Amazon and you'll run into it all the time. And it's actually really probably one of the biggest, I would say IAM is the biggest pain point of every developer's experience on Amazon because it's so annoying.

[00:06:37]
There's tons and tons of permissions you have to give it. But the takeaway I just want you to have with this is that we're going to go to the IAM part of the dashboard to give it permissions to do things in the cloud. And so what we're going to do is in the IAM section, we're gonna click on policies.

[00:06:56]
Again, I have tons of policies, but you will also notice that Amazon has a lot of out of the box policies for you. So any of the things that are with the little orange 3D box there is an IM or an Amazon Managed and you can see here it says Amazon Managed Policy.

[00:07:14]
I recommend using these as much as possible because it's really. They've tried to solve pretty much every problem most people are already trying to do outside of really granular or really specific permissions. This is a good go to get started thing. What's ironic is we won't be able to use it because App Runner doesn't have one in there for some reason.

[00:07:38]
And I don't know why, but at least, yeah, I don't think so. So anyways, what we're going to do is we're going to click Create Policy and then we're not actually going to use the visual editor here, we're just going to change the JSON. We're going to literally just write pure JSON in here.

[00:07:56]
And then, what I'm going to do is, I'm going to paste in what we actually need. And so what I'm going to do so you have it is I'm just going to open it in my editor. So the policy that you guys want to add is this right here.

[00:08:13]
Unfortunately, this is the only place I can give this to you because it's not in source code. It's something you would do manually. While you're going through it, all you're going to do is you're going to create a JSON object with statement as the array version at the bottom and then inside of the array make an object with action array, get parameters, effect allow.

[00:08:37]
And then, when you get to Resource, what you're going to do is you're going to put in your account region. Just for consistency sake, let's just leave it on us West 2 because that's what I'm already like how everything else was set up in the course. So we're going to put us West 2 as the region and then the account ID is going to be your account ID and I can show you how to get that.

[00:09:01]
So it'd be us West 2. And then to get your account ID you can actually up in the top right hand corner where your user ID is or username, whatever, you can click this and then it'll say Account ID right there. You can just click that and then that will allow you to put in your account id.

[00:09:21]
So can any one guess what permissions we are giving this?
>> Student: We're giving. Once we give this policy to the app runner, we're going to basically allow the app runner to get parameters from the parameter store.
>> Erik Reinert: Exactly. Yeah, exactly. We are telling Amazon, hey, we just put some parameters in parameter store, please allow the application to use it as well.

[00:09:49]
This is a policy that we are allowing it to do. Now you might be like, well why am I allowed to do it without having to add the policy? Well, that's because you're probably using an administrator or root level account that has access to everything by default. So yeah, once you've got that, the next thing we have to do is just click next and then we will give it a name.

[00:10:08]
In this case we'll just say fem FD Service and that's it. And then, if you scroll down really quickly you will, you should see what it's actually, what permissions are actually defined and so in this case, we should see Systems Manager read, right? So it's limited just to read, which is important as well.

[00:10:27]
We don't want the service to write changes, we don't want to change the config, we just want to read it. So then we're going to click Create Policy. And now if I search, you should see a FEM-FD service, right? And then if I click on that, we should be able to see where is it?

[00:10:47]
Permissions. Yeah, our permissions right here, and click on that. And then I can see, GetParameters, all of that.