AWS Systems Manager (formerly Amazon Simple Systems Manager, or SSM) is a service that you can use to view and control your infrastructure on AWS. One of the most useful features of SSM for microservices is the Parameter Store, which provides secure, hierarchical storage for configuration data management and secrets management..
You can find more information about SSM at the AWS Systems Manager website.
The SSM extension is based on AWS Java SDK 2.x. It’s a major rewrite of the 1.x code base that offers two programming models (Blocking & Async). |
This technology is considered preview. In preview, backward compatibility and presence in the ecosystem is not guaranteed. Specific improvements might require to change configuration or APIs and plans to become stable are under way. Feedback is welcome on our mailing list or as issues in our GitHub issue tracker. For a full list of possible extension statuses, check our FAQ entry. |
The Quarkus extension supports two programming models:
-
Blocking access using URL Connection HTTP client (by default) or the Apache HTTP Client
-
Asynchronous programming based on JDK’s
CompletableFuture
objects and the Netty HTTP client.
In this guide, we see how you can get your REST services to use SSM locally and on AWS.
Prerequisites
To complete this guide, you need:
-
JDK 11+ installed with
JAVA_HOME
configured appropriately -
an IDE
-
Apache Maven 3.8.1
-
An AWS Account to access the SSM service
-
Docker for your system to run SSM locally for testing purposes
Set up SSM locally
The easiest way to start working with SSM is to run a local instance as a container.
docker run --rm --name local-ssm --publish 8014:4583 -e SERVICES=ssm -e START_WEB=0 -d localstack/localstack:0.11.1
This starts a SSM instance that is accessible on port 8014
.
Create an AWS profile for your local instance using AWS CLI:
$ aws configure --profile localstack
AWS Access Key ID [None]: test-key
AWS Secret Access Key [None]: test-secret
Default region name [None]: us-east-1
Default output format [None]:
Solution
The application built here allows to store and retrieve parameters using the SSM parameter store.
We recommend that you follow the instructions in the next sections and create the application step by step. However, you can go right to the completed example.
Clone the Git repository: git clone https://github.com/quarkusio/quarkus-quickstarts.git
, or download an archive.
The solution is located in the amazon-ssm-quickstart
directory.
Creating the Maven project
First, we need a new project. Create a new project with the following command:
mvn io.quarkus:quarkus-maven-plugin:2.0.2.Final:create \
-DprojectGroupId=org.acme \
-DprojectArtifactId=amazon-ssm-quickstart \
-DclassName="org.acme.ssm.QuarkusSsmSyncResource" \
-Dpath="/sync" \
-Dextensions="resteasy,resteasy-jackson,amazon-ssm,resteasy-mutiny"
cd amazon-ssm-quickstart
This command generates a Maven structure importing the RESTEasy/JAX-RS, Mutiny and Amazon SSM Client extensions.
After this, the amazon-ssm
extension has been added to your pom.xml
as well as the Mutiny support for RESTEasy.
Creating JSON REST service
In this example, we will create an application that allows us to store and retrieve parameters to and from SSM parameter store using a RESTful API. The example application will demonstrate the two programming models supported by the extension.
Let’s start with an abstract org.acme.ssm.QuarkusSsmResource
class to provide the common functionality we will need for both the synchronous and asynchrounous exposures.
package org.acme.ssm;
import static java.lang.Boolean.TRUE;
import static java.util.stream.Collectors.toMap;
import java.util.Map;
import java.util.stream.Collector;
import javax.annotation.PostConstruct;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import software.amazon.awssdk.services.ssm.model.GetParameterRequest;
import software.amazon.awssdk.services.ssm.model.GetParametersByPathRequest;
import software.amazon.awssdk.services.ssm.model.Parameter;
import software.amazon.awssdk.services.ssm.model.ParameterType;
import software.amazon.awssdk.services.ssm.model.PutParameterRequest;
public abstract class QuarkusSsmResource {
@ConfigProperty(name = "parameters.path") (1)
String parametersPath;
@PostConstruct (2)
void normalizePath() {
if (!parametersPath.startsWith("/")) {
parametersPath = "/" + parametersPath;
}
if (!parametersPath.endsWith("/")) {
parametersPath = parametersPath + "/";
}
}
protected Collector<Parameter, ?, Map<String, String>> parametersToMap() { (3)
return toMap(p -> p.name().substring(parametersPath.length()), Parameter::value);
}
protected GetParametersByPathRequest generateGetParametersByPathRequest() {
return GetParametersByPathRequest.builder() (4)
.path(parametersPath)
.withDecryption(TRUE)
.build();
}
protected PutParameterRequest generatePutParameterRequest(String name, String value, boolean secure) {
return PutParameterRequest.builder() (5)
.name(parametersPath + name)
.value(value)
.type(secure ? ParameterType.SECURE_STRING : ParameterType.STRING)
.overwrite(TRUE)
.build();
}
protected GetParameterRequest generateGetParameterRequest(String name) {
return GetParameterRequest.builder() (6)
.name(parametersPath + name)
.withDecryption(TRUE)
.build();
}
}
1 | Inject a configured path under which to store parameters |
2 | Ensure the path starts and ends with / |
3 | Collect parameters into a map of simple names and values |
4 | Generate a request for all parameters under the configured path |
5 | Generate a request to set a specific parameter |
6 | Generate a request to get a specific parameter value |
Now, we can extend the class and create the synchronous implementation in the org.acme.ssm.QuarkusSsmSyncResource
class.
package org.acme.ssm;
import java.util.Map;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import software.amazon.awssdk.services.ssm.SsmClient;
@Path("/sync")
public class QuarkusSsmSyncResource extends QuarkusSsmResource {
@Inject (1)
SsmClient ssm;
@GET
@Produces(MediaType.APPLICATION_JSON)
public Map<String, String> getParameters() {
return ssm.getParametersByPath(generateGetParametersByPathRequest())
.parameters().stream().collect(parametersToMap());
}
@PUT
@Path("/{name}")
@Consumes(MediaType.TEXT_PLAIN)
public void setParameter(@PathParam("name") String name,
@QueryParam("secure") @DefaultValue("false") boolean secure,
String value) {
ssm.putParameter(generatePutParameterRequest(name, value, secure));
}
@GET
@Path("/{name}")
@Produces(MediaType.TEXT_PLAIN)
public String getParameter(@PathParam("name") String name) {
return ssm.getParameter(generateGetParameterRequest(name))
.parameter().value();
}
}
1 | Inject the client provided by the amazon-ssm extension |
Using the Amazon SSM SDK, we can easily store and retrieve arbitrary name/value pairs, and we can optionally store the values in a secure manner.
Configuring SSM clients
Both SSM clients (sync and async) are configurable via the application.properties
file that can be provided in the src/main/resources
directory.
Additionally, you need to add to the classpath a proper implementation of the sync client. By default the extension uses the URL connection HTTP client, so
you need to add a URL connection client dependency to the pom.xml
file:
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>url-connection-client</artifactId>
</dependency>
If you want to use Apache HTTP client instead, configure it as follows:
quarkus.ssm.sync-client.type=apache
And add the following dependency to the application pom.xml
:
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>apache-client</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-apache-httpclient</artifactId>
</dependency>
If you’re going to use a local SSM instance, configure it as follows:
quarkus.ssm.endpoint-override=http://localhost:8014 (1)
quarkus.ssm.aws.region=us-east-1 (2)
quarkus.ssm.aws.credentials.type=static (3)
quarkus.ssm.aws.credentials.static-provider.access-key-id=test-key
quarkus.ssm.aws.credentials.static-provider.secret-access-key=test-secret
1 | Override the SSM client to use localstack instead of the actual AWS service |
2 | Localstack defaults to us-east-1 |
3 | The static credentials provider lets you set the access-key-id and secret-access-key directly |
If you want to work with an AWS account, you can simply remove or comment out all Amazon SSM related properties. By default, the SSM client extension will use the default
credentials provider chain that looks for credentials in this order:
-
Java System Properties -
aws.accessKeyId
andaws.secretAccessKey
-
Environment Variables -
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
-
Credential profiles file at the default location (
~/.aws/credentials
) shared by all AWS SDKs and the AWS CLI -
Credentials delivered through the Amazon ECS if the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
environment variable is set and the security manager has permission to access the variable, -
Instance profile credentials delivered through the Amazon EC2 metadata service
And the region from your AWS CLI profile will be used.
Next steps
Packaging
Packaging your application is as simple as ./mvnw clean package
.
It can then be run with java -Dparameters.path=/quarkus/is/awesome/ -jar target/quarkus-app/quarkus-run.jar
.
With GraalVM installed, you can also create a native executable binary: ./mvnw clean package -Dnative
.
Depending on your system, that will take some time.
Going asynchronous
Thanks to the AWS SDK v2.x used by the Quarkus extension, you can use the asynchronous programming model out of the box.
Create a org.acme.ssm.QuarkusSsmAsyncResource
REST resource that will be similar to our QuarkusSsmSyncResource
but using an asynchronous programming model.
package org.acme.ssm;
import java.util.Map;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import io.smallrye.mutiny.Uni;
import software.amazon.awssdk.services.ssm.SsmAsyncClient;
@Path("/async")
public class QuarkusSsmAsyncResource extends QuarkusSsmResource {
@Inject
SsmAsyncClient ssm;
@GET
@Produces(MediaType.APPLICATION_JSON)
public Uni<Map<String, String>> getParameters() {
return Uni.createFrom().completionStage(ssm.getParametersByPath(generateGetParametersByPathRequest()))
.onItem().transform(r -> r.parameters().stream().collect(parametersToMap()));
}
@PUT
@Path("/{name}")
@Consumes(MediaType.TEXT_PLAIN)
public Uni<Void> setParameter(@PathParam("name") String name,
@QueryParam("secure") @DefaultValue("false") boolean secure,
String value) {
return Uni.createFrom().completionStage(ssm.putParameter(generatePutParameterRequest(name, value, secure)))
.onItem().transform(r -> null);
}
@GET
@Path("/{name}")
@Produces(MediaType.TEXT_PLAIN)
public Uni<String> getParameter(@PathParam("name") String name) {
return Uni.createFrom().completionStage(ssm.getParameter(generateGetParameterRequest(name)))
.onItem().transform(r -> r.parameter().value());
}
}
Note that the SsmAsyncClient
behaves just like the SsmClient
, but returns CompletionStage
objects which we use to create Uni
instances, and then transform the emitted item.
To enable the asynchronous client, we also need to add the Netty HTTP client dependency to the pom.xml
:
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>netty-nio-client</artifactId>
</dependency>
Configuration Reference
Configuration property fixed at build time - All other configuration properties are overridable at runtime
Type |
Default |
|
---|---|---|
List of execution interceptors that will have access to read and modify the request and response objects as they are processed by the AWS SDK.
The list should consists of class names which implements |
list of string |
|
Type of the sync HTTP client implementation |
|
|
Type |
Default |
|
The endpoint URI with which the SDK should communicate. If not specified, an appropriate endpoint to be used for the given service and region. |
||
The amount of time to allow the client to complete the execution of an API call. This timeout covers the entire client execution except for marshalling. This includes request handler execution, all HTTP requests including retries, unmarshalling, etc. This value should always be positive, if present. |
||
The amount of time to wait for the HTTP request to complete before giving up and timing out. This value should always be positive, if present. |
||
Type |
Default |
|
An Amazon Web Services region that hosts the given service. It overrides region provider chain with static value of region with which the service client should communicate. If not set, region is retrieved via the default providers chain in the following order:
See |
Region |
|
Configure the credentials provider that should be used to authenticate with AWS. Available values:
|
|
|
Type |
Default |
|
Whether this provider should fetch credentials asynchronously in the background.
If this is |
boolean |
|
Whether the provider should reuse the last successful credentials provider in the chain. Reusing the last successful credentials provider will typically return credentials faster than searching through the chain. |
boolean |
|
Type |
Default |
|
AWS Access key id |
string |
|
AWS Secret access key |
string |
|
Type |
Default |
|
The name of the profile that should be used by this credentials provider.
If not specified, the value in |
string |
|
Type |
Default |
|
Whether the provider should fetch credentials asynchronously in the background. If this is true, threads are less likely to block when credentials are loaded, but additional resources are used to maintain the provider. |
boolean |
|
The amount of time between when the credentials expire and when the credentials should start to be refreshed. This allows the credentials to be refreshed *before* they are reported to expire. |
|
|
The maximum size of the output that can be returned by the external process before an exception is raised. |
|
|
The command that should be executed to retrieve credentials. |
string |
|
Type |
Default |
|
The maximum amount of time to establish a connection before timing out. |
|
|
The amount of time to wait for data to be transferred over an established, open connection before the connection is timed out. |
|
|
TLS key managers provider type. Available providers:
|
|
|
Path to the key store. |
path |
|
Key store type. See the KeyStore section in the https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore[Java Cryptography Architecture Standard Algorithm Name Documentation] for information about standard keystore types. |
string |
|
Key store password |
string |
|
TLS trust managers provider type. Available providers:
|
|
|
Path to the key store. |
path |
|
Key store type. See the KeyStore section in the https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore[Java Cryptography Architecture Standard Algorithm Name Documentation] for information about standard keystore types. |
string |
|
Key store password |
string |
|
Type |
Default |
|
The amount of time to wait when acquiring a connection from the pool before giving up and timing out. |
|
|
The maximum amount of time that a connection should be allowed to remain open while idle. |
|
|
The maximum amount of time that a connection should be allowed to remain open, regardless of usage frequency. |
||
The maximum number of connections allowed in the connection pool. Each built HTTP client has its own private connection pool. |
int |
|
Whether the client should send an HTTP expect-continue handshake before each request. |
boolean |
|
Whether the idle connections in the connection pool should be closed asynchronously.
When enabled, connections left idling for longer than |
boolean |
|
Enable HTTP proxy |
boolean |
|
The endpoint of the proxy server that the SDK should connect through. Currently, the endpoint is limited to a host and port. Any other URI components will result in an exception being raised. |
||
The username to use when connecting through a proxy. |
string |
|
The password to use when connecting through a proxy. |
string |
|
For NTLM proxies - the Windows domain name to use when authenticating with the proxy. |
string |
|
For NTLM proxies - the Windows workstation name to use when authenticating with the proxy. |
string |
|
Whether to attempt to authenticate preemptively against the proxy server using basic authentication. |
boolean |
|
The hosts that the client is allowed to access without going through the proxy. |
list of string |
|
Type |
Default |
|
The maximum number of allowed concurrent requests. For HTTP/1.1 this is the same as max connections. For HTTP/2 the number of connections that will be used depends on the max streams allowed per connection. |
int |
|
The maximum number of pending acquires allowed. Once this exceeds, acquire tries will be failed. |
int |
|
The amount of time to wait for a read on a socket before an exception is thrown.
Specify |
|
|
The amount of time to wait for a write on a socket before an exception is thrown.
Specify |
|
|
The amount of time to wait when initially establishing a connection before giving up and timing out. |
|
|
The amount of time to wait when acquiring a connection from the pool before giving up and timing out. |
|
|
The maximum amount of time that a connection should be allowed to remain open, regardless of usage frequency. |
||
The maximum amount of time that a connection should be allowed to remain open while idle.
Currently has no effect if |
|
|
Whether the idle connections in the connection pool should be closed.
When enabled, connections left idling for longer than |
boolean |
|
The HTTP protocol to use. |
|
|
The SSL Provider to be used in the Netty client.
Default is |
|
|
The maximum number of concurrent streams for an HTTP/2 connection. This setting is only respected when the HTTP/2 protocol is used. |
long |
|
The initial window size for an HTTP/2 stream. This setting is only respected when the HTTP/2 protocol is used. |
int |
|
Sets the period that the Netty client will send |
|
|
Enable HTTP proxy. |
boolean |
|
The endpoint of the proxy server that the SDK should connect through. Currently, the endpoint is limited to a host and port. Any other URI components will result in an exception being raised. |
||
The hosts that the client is allowed to access without going through the proxy. |
list of string |
|
TLS key managers provider type. Available providers:
|
|
|
Path to the key store. |
path |
|
Key store type. See the KeyStore section in the https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore[Java Cryptography Architecture Standard Algorithm Name Documentation] for information about standard keystore types. |
string |
|
Key store password |
string |
|
TLS trust managers provider type. Available providers:
|
|
|
Path to the key store. |
path |
|
Key store type. See the KeyStore section in the https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore[Java Cryptography Architecture Standard Algorithm Name Documentation] for information about standard keystore types. |
string |
|
Key store password |
string |
|
Enable the custom configuration of the Netty event loop group. |
boolean |
|
Number of threads to use for the event loop group.
If not set, the default Netty thread count is used (which is double the number of available processors unless the |
int |
|
The thread name prefix for threads created by this thread factory used by event loop group.
The prefix will be appended with a number unique to the thread factory and a number unique to the thread.
If not specified it defaults to |
string |
About the Duration format
The format for durations uses the standard You can also provide duration values starting with a number.
In this case, if the value consists only of a number, the converter treats the value as seconds.
Otherwise, |
About the MemorySize format
A size configuration option recognises string in this format (shown as a regular expression): |