Parameters

This section describes the parameters for each service of RISKEN.

Service Parameters

• Common
• Gateway
• Core
• AWS
• Google
• Diagnosis
• OSINT
• Code

Supports AWS Parameter Store

RISKEN supports AWS Parameter Store to safely pass parameters during application runtime.

Using Parameter Store provides the following benefits:

• Avoids saving credentials in source code
• Encryption by KMS and decryption at runtime (Envelope Encryption)
  • Separation of authority between "saving (encryption)" and "using (decryption)" of credentials
  • Audit logs of credential operations can be retained
  • If you save credentials, please specify Secret String.
  • For details, please refer to the official documentation .

Mechanism and Usage

At the entry point of each container execution, env-injector is executed.

By specifying the storage location in Parameter Store in env-injector (ENV_INJECTOR_PATH or ENV_INJECTOR_META_CONFIG), registered values can be loaded into the container as environment variables.

If you want to use SecretsManager instead of Parameter Store, please specify ENV_INJECTOR_SECRET_NAME.

For details, please refer to the README.md of env-injector .

Parameter Store Configuration Example

1. For example, specify the following environment variables (ENV_INJECTOR_META_CONFIG) for the finding service:

   - ENV_INJECTOR_META_CONFIG: /prd/meta/core/finding
   

   • The Path is specified in the format of /{env}/meta/{name_space}/{service_name}.
     • The {env} part is intended to identify the system environment.
     • The {name_space} part is the name space for each RISKEN.
     • The {service_name} part is the name of the RISKEN service.
2. The Parameter Store specified in 1 above is loaded at container runtime.

3. Assume that the following values are saved in yaml format in /prd/meta/core/finding:

   - parameter_store_path: /prd/common
   - parameter_store_path: /prd/core/finding
   

4. The parameter_store_path specified in step 3 is loaded in order:

   • First, the Parameter Store paths under /prd/common/ are referenced.
     • Assume the following parameters are registered under /prd/common/:

       - /prd/common/DB_HOST
       - /prd/common/DB_USER
       - /prd/common/DB_PASSWORD
       

     • The following values are loaded as environment variables in the container:

       - DB_HOST: localhost
       - DB_USER: hoge
       - DB_PASSWORD: moge
       

   • Next, the Parameter Store paths under /prd/core/finding are referenced.
     • Assume the following parameters are registered under /prd/core/finding/:

       - /prd/core/finding/SERVICE_ADDRESS
       - /prd/core/finding/ENABLE_DEBUG_LOG
       

     • The following values are loaded as environment variables in the container:

       - SERVICE_ADDRESS: localhost
       - ENABLE_DEBUG_LOG: true
       

5. Finally, the environment variables loaded into the container are as follows:

   - DB_HOST: localhost
   - DB_USER: hoge
   - DB_PASSWORD: moge
   - SERVICE_ADDRESS: localhost
   - ENABLE_DEBUG_LOG: true