New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssm put-parameter fetches external URLs if value is URL #3076

Closed
otanner opened this Issue Jan 8, 2018 · 8 comments

Comments

Projects
None yet
8 participants
@otanner
Copy link

otanner commented Jan 8, 2018

Hi,

When the value of the parameter contains URL, aws-cli fetches the URL and tries to insert the source code as the value. When setting the same value via console it can be stored as is.

Example:
aws ssm put-parameter --type 'SecureString' --key-id 'alias/mykey' --name '/myservice/url' --value 'https://google.com/' returns the source code of https://google.com/ and an error failed to satisfy constraint: Member must have length less than or equal to 4096.

Is this a bug or a feature with missing documentation? Is there a possibility to put raw values containing URLs without this magic?

Version information:
aws-cli/1.14.19 Python/2.7.10 Darwin/16.7.0 botocore/1.8.23

@joguSD

This comment has been minimized.

Copy link
Contributor

joguSD commented Jan 8, 2018

It's a documented feature, but it's definitely a feature we've found to cause a lot of surprise. The easiest way around this is probably to use --cli-input-json like so:

aws ssm put-parameter --cli-input-json '{"Type": "SecureString", "KeyId": "alias/mykey", "Name": "/myservice/url", "Value": "https://google.com/"}'

We intend to add an option somehow for users to opt out of this.

@otanner

This comment has been minimized.

Copy link

otanner commented Jan 8, 2018

Thanks for the reply. This feature is actually really useful especially when used with file:// but only after running the command with debug mode and looking more into the source code I understood this is done to almost all the parameters.

Would it be possible to add a command line parameter for setting no_paramfile temporarily true?

@djhworld

This comment has been minimized.

Copy link

djhworld commented Jan 22, 2018

I've just encountered this too, it was very unexpected behaviour - especially as the documentation on this page https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html does not express this clearly, or link to the page @joguSD linked to above

FYI I am using this to put a webhook URL in the parameter store

@myoung34

This comment has been minimized.

Copy link

myoung34 commented Jan 28, 2018

This is not a good feature and definitely is surprising....

$ aws-vault exec home -- aws ssm put-parameter --name /ops/jenkins/jenkins_url --type String --value "http://ci.redact.us:8080"

Error parsing parameter '--value': Unable to retrieve http://ci.redact.us:8080: ('Connection aborted.', gaierror(-2, 'Name or service not known'))

@ASayre ASayre closed this Feb 6, 2018

@ASayre ASayre reopened this Feb 6, 2018

@ccdale

This comment has been minimized.

Copy link

ccdale commented Jun 3, 2018

As you already have a list of commands that this feature is disbled for can ssm.put-parameter.value (this is probably not the correct nomenclature) be added to the PARAMFILE_DISABLED list in awscli/paramfile.py

There is a slight inconsistency in the documentation here as though the README.rst specifically mentions the file and uri params feature, the individual example file for SSM put-parameter also states that putting values in single quotes leaves them unchanged (I suspect you just mean that the shell doesn't expand them, not that they are immune to further processing).

@ccdale

This comment has been minimized.

Copy link

ccdale commented Jun 4, 2018

I've created a patch and tested it against python2.7, python3.5 and python3.6 - sorry, as I don't have access to python2.6/3.3/3.4 I can't test it against those, so haven't created a pull request.
ssm-not-expand-param-value.patch.txt

@farrellit

This comment has been minimized.

Copy link

farrellit commented Jun 15, 2018

maybe if the single quotes themselves were part of the value, and not eaten by the shell, that would work ?

@stealthycoin

This comment has been minimized.

Copy link
Contributor

stealthycoin commented Jul 2, 2018

Closing due to #3398

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment