AWS SSM Plugin

AWS SSM Plugin

This plugin is intended for loading sensitive data or configs via AWS SSM
To demonstrate the use of the plugin we will store and load the credentials token for connector.

The plugin is automatically activated by adding "ssm-aws-region" parameter in connector section
and then "token: aws:ssm:/path/to/the/connector-token"

connector:
   name: "my-awesome-connector"
   aws-region: "us-east-1"
   ssm-aws-region: "us-east-2"

credentials:
   token: aws:ssm:/path/to/the/connector-token
   # token: AVeryLongAndSecurePasswordThingyTokenLikeStuffGeneratedInThePortal

# sockets:
aws_groups:
    - group: infra_team
      policies: [my-infra-policy]
      # private_socket: True

Sample AWS policy allowing connector instance access to SSM:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": [
                "arn:aws:ssm:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:*:123456789012:parameter/path/to/the/connector-token"
            ]
        }
    ]
}