Skip to content

SSM Parameter Store — Secrets Guide

All application secrets are stored in AWS SSM Parameter Store as SecureString parameters encrypted with the NHC KMS CMK (prod-nhc-kms-s3).

No .env files with plaintext secrets are used on EC2 instances. Every secret read is logged in CloudTrail.

Naming Convention

/nhc/<app>/<secret_name>
Parameter App Description
/nhc/django/db_password Django API RDS master password
/nhc/django/secret_key Django API Django SECRET_KEY
/nhc/wordpress/db_password WP CMS Docker MySQL container password (not RDS — WP uses containerised DB)
/nhc/gitlab/runner_token GitLab Runner Runner registration token

Storing a Secret

aws ssm put-parameter \
  --profile nhc-prod \
  --region us-east-2 \
  --name "/nhc/django/db_password" \
  --value "your-secure-password" \
  --type SecureString \
  --key-id "alias/prod-nhc-kms-s3" \
  --overwrite

Reading a Secret (CLI)

aws ssm get-parameter \
  --profile nhc-prod \
  --region us-east-2 \
  --name "/nhc/django/db_password" \
  --with-decryption \
  --query Parameter.Value \
  --output text

Consuming Secrets in Docker Compose

On the EC2 instance, a startup wrapper script fetches secrets from SSM and passes them as environment variables to Docker Compose. Nothing is written to disk.

Example (/home/deploy/apps/django/start.sh):

#!/bin/bash
set -euo pipefail

export DB_PASSWORD=$(aws ssm get-parameter \
  --region us-east-2 \
  --name /nhc/django/db_password \
  --with-decryption \
  --query Parameter.Value \
  --output text)

export DJANGO_SECRET_KEY=$(aws ssm get-parameter \
  --region us-east-2 \
  --name /nhc/django/secret_key \
  --with-decryption \
  --query Parameter.Value \
  --output text)

docker compose up -d

The EC2 instance accesses SSM via its IAM instance profile (SSM role) — no AWS credentials are stored on the instance.

IAM Permissions

The EC2 SSM instance profile (nhc-ec2-ssm-profile) has AmazonSSMManagedInstanceCore attached which grants SSM session access. SSM Parameter Store reads require an additional policy — to be added in Phase 5 hardening:

{
  "Effect": "Allow",
  "Action": ["ssm:GetParameter", "ssm:GetParameters"],
  "Resource": "arn:aws:ssm:us-east-2:794248400165:parameter/nhc/*"
}

Phase 5 item

The SSM Parameter Store read policy is not yet attached to the instance profile. This must be done before app containers start fetching secrets.