Creating a free form configuration profile in Amazon AppConfig - Amazon AppConfig
About configuration store quotas and limitationsAbout the Amazon AppConfig hosted configuration storeAbout configurations stored in Amazon S3Creating a freeform configuration and configuration profile
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a free form configuration profile in Amazon AppConfig

A configuration profile includes, among other things, a URI that enables Amazon AppConfig to locate your configuration data in its stored location and a profile type. Amazon AppConfig supports two configuration profile types: feature flags and freeform configurations. Feature flag configuration profiles store their data in the Amazon AppConfig hosted configuration store and the URI is simply hosted. For freeform configuration profiles, you can store your data in the Amazon AppConfig hosted configuration store or any of the following Amazon services and Systems Manager capabilities:

Location Supported file types

Amazon AppConfig hosted configuration store

YAML, JSON, and text if added using the Amazon Web Services Management Console. Any file type if added using the Amazon AppConfig CreateHostedConfigurationVersion API action.

Amazon Simple Storage Service (Amazon S3)

Any

Amazon CodePipeline

Pipeline (as defined by the service)

Amazon Secrets Manager

Secret (as defined by the service)

Amazon Systems Manager Parameter Store

Standard and secure string parameters (as defined by Parameter Store)

Amazon Systems Manager document store (SSM documents)

YAML, JSON, text

A configuration profile can also include optional validators to ensure your configuration data is syntactically and semantically correct. Amazon AppConfig performs a check using the validators when you start a deployment. If any errors are detected, the deployment stops before making any changes to the targets of the configuration.

Note

If possible, we recommend hosting your configuration data in the Amazon AppConfig hosted configuration store as it offers the most features and enhancements.

For freeform configurations stored in the Amazon AppConfig hosted configuration store or SSM documents, you can create the freeform configuration by using the Systems Manager console at the time you create a configuration profile. The process is described later in this topic.

For freeform configurations stored in Parameter Store, Secrets Manager, or Amazon S3, you must create the parameter, secret, or object first and store it in the relevant configuration store. After you store the configuration data, use the procedure in this topic to create the configuration profile.

About configuration store quotas and limitations

Configuration stores supported by Amazon AppConfig have the following quotas and limitations.

Amazon AppConfig hosted configuration store Amazon S3 Systems Manager Parameter Store Amazon Secrets Manager Systems Manager Document store Amazon CodePipeline

Configuration size limit

2 MB default, 4 MB maximum

2 MB

Enforced by Amazon AppConfig, not S3

4 KB (free tier) / 8 KB (advanced parameters)

64 KB

64 KB

2 MB

Enforced by Amazon AppConfig, not CodePipeline

Resource storage limit

1 GB

Unlimited

10,000 parameters (free tier) / 100,000 parameters (advanced parameters)

500,000

500 documents

Limited by the number of configuration profiles per application (100 profiles per application)

Server-side encryption

Yes

SSE-S3, SSE-KMS

Yes

Yes

No

Yes

Amazon CloudFormation support

Yes

Not for creating or updating data

Yes

Yes

No

Yes

Pricing

Free

See Amazon S3 pricing

See Amazon Systems Manager pricing

See Amazon Secrets Manager pricing

Free

See Amazon CodePipeline pricing

About the Amazon AppConfig hosted configuration store

Amazon AppConfig includes an internal or hosted configuration store. Configurations must be 2 MB or smaller. The Amazon AppConfig hosted configuration store provides the following benefits over other configuration store options.

  • You don't need to set up and configure other services such as Amazon Simple Storage Service (Amazon S3) or Parameter Store.

  • You don't need to configure Amazon Identity and Access Management (IAM) permissions to use the configuration store.

  • You can store configurations in YAML, JSON, or as text documents.

  • There is no cost to use the store.

  • You can create a configuration and add it to the store when you create a configuration profile.

About configurations stored in Amazon S3

You can store configurations in an Amazon Simple Storage Service (Amazon S3) bucket. When you create the configuration profile, you specify the URI to a single S3 object in a bucket. You also specify the Amazon Resource Name (ARN) of an Amazon Identity and Access Management (IAM) role that gives Amazon AppConfig permission to get the object. Before you create a configuration profile for an Amazon S3 object, be aware of the following restrictions.

Restriction Details

Size

Configurations stored as S3 objects can be a maximum of 1 MB in size.

Object encryption

A configuration profile can target SSE-S3 and SSE-KMS encrypted objects.

Storage classes

Amazon AppConfig supports the following S3 storage classes: STANDARD, INTELLIGENT_TIERING, REDUCED_REDUNDANCY, STANDARD_IA, and ONEZONE_IA. The following classes are not supported: All S3 Glacier classes (GLACIER and DEEP_ARCHIVE).

Versioning

Amazon AppConfig requires that the S3 object use versioning.

Configuring permissions for a configuration stored as an Amazon S3 object

When you create a configuration profile for a configuration stored as an S3 object, you must specify an ARN for an IAM role that gives Amazon AppConfig permission to get the object. The role must include the following permissions.

Permissions to access the S3 object

  • s3:GetObject

  • s3:GetObjectVersion

Permissions to list S3 buckets

s3:ListAllMyBuckets

Permissions to access the S3 bucket where the object is stored

  • s3:GetBucketLocation

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketVersions

Complete the following procedure to create a role that enables Amazon AppConfig to get a configuration stored in an S3 object.

Creating the IAM Policy for Accessing an S3 Object

Use the following procedure to create an IAM policy that enables Amazon AppConfig to get a configuration stored in an S3 object.

To create an IAM policy for accessing an S3 object

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy.

  3. On the Create policy page, choose the JSON tab.

  4. Update the following sample policy with information about your S3 bucket and configuration object. Then paste the policy into the text field on the JSON tab. 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws-cn:s3:::my-bucket/my-configurations/my-configuration.json"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:ListBucketVersions",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws-cn:s3:::my-bucket"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    } 
  ]
}

  5. Choose Review policy.

  6. On the Review policy page, type a name in the Name box, and then type a description.

  7. Choose Create policy. The system returns you to the Roles page.

Creating the IAM Role for Accessing an S3 Object

Use the following procedure to create an IAM role that enables Amazon AppConfig to get a configuration stored in an S3 object.

To create an IAM role for accessing an Amazon S3 object

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. On the Select type of trusted entity section, choose Amazon service.

  4. In the Choose a use case section, under Common use cases, choose EC2, and then choose Next: Permissions.

  5. On the Attach permissions policy page, in the search box, enter the name of the policy you created in the previous procedure.

  6. Choose the policy and then choose Next: Tags.

  7. On the Add tags (optional) page, enter a key and an optional value, and then choose Next: Review.

  8. On the Review page, type a name in the Role name field, and then type a description.

  9. Choose Create role. The system returns you to the Roles page.

  10. On the Roles page, choose the role you just created to open the Summary page. Note the Role Name and Role ARN. You will specify the role ARN when you create the configuration profile later in this topic.

Creating a Trust Relationship

Use the following procedure to configure the role you just created to trust Amazon AppConfig.

To add a trust relationship

  1. In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.

  2. Delete "ec2.amazonaws.com" and add "appconfig.amazonaws.com", as shown in the following example.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appconfig.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  3. Choose Update Trust Policy.

Creating a freeform configuration and configuration profile

This section describes how to create a freeform configuration and configuration profile. Before you begin, note the following information.

  • The following procedure requires you to specify an IAM service role so that Amazon AppConfig can access your configuration data in the configuration store you choose. This role is not required if you use the Amazon AppConfig hosted configuration store. If you choose S3, Parameter Store, or the Systems Manager document store, then you must either choose an existing IAM role or choose the option to have the system automatically create the role for you. For more information, about this role, see About the configuration profile IAM role.

  • The following procedure also gives you the option to associate an extension with a feature flag configuration profile. An extension augments your ability to inject logic or behavior at different points during the Amazon AppConfig workflow of creating or deploying a configuration. For more information, see About Amazon AppConfig extensions.

  • If you want to create a configuration profile for configurations stored in S3, you must configure permissions. For more information about permissions and other requirements for using S3 as a configuration store, see About configurations stored in Amazon S3.

  • If you want to use validators, review the details and requirements for using them. For more information, see About validators.

Creating an Amazon AppConfig freeform configuration profile (console)

Use the following procedure to create an Amazon AppConfig freeform configuration profile and (optionally) a freeform-configuration by using the Amazon Systems Manager console.

To create a freeform configuration profile

  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/appconfig/.

  2. In the navigation pane, choose Applications, and then choose an application you created in Creating a namespace for your application in Amazon AppConfig.

  3. Choose the Configuration profiles and feature flags tab, and then choose Create configuration.

  4. In the Configuration options section, choose Freeform configuration.

  5. For Configuration profile name, enter a name for the configuration profile.

  6. (Optional) Expand Description and enter a description.

  7. (Optional) Expand Additional options and complete the following, as necessary.

    1. In the Associate extensions section, choose an extension from the list.

    2. In the Tags section, choose Add new tag, and then specify a key and optional value.

  8. Choose Next.

  9. On the Specify configuration data page, in the Configuration defition section, choose an option.

  10. Complete the fields for the option you selected, as described in the following table.

    Option selected Details

    Amazon AppConfig hosted configuration

    Choose either Text, JSON, or YAML, and enter your configuration in the field. Go to Step 12 in this procedure.

    Amazon S3 object

    Enter the object URI in the S3 object source field and go to Step 11 in this procedure.

    Amazon CodePipeline

    Choose Next and go to Step 12 in this procedure.

    Secrets Manager secret

    Choose the secret from the list go to Step 11 in this procedure.

    Amazon Systems Manager parameter

    Choose the parameter from the list and go to Step 11 in this procedure.

    Amazon Systems Manager document

    1. Choose a document from the list or choose Create new document.

    2. If you choose Create new document, for Document name, enter a name. Optionally, expand Version name and enter a name for the document version.

    3. For Application configuration schema, either choose the JSON schema from the list or choose Create schema. If you choose Create schema, Systems Manager opens the Create schema page. Enter the schema details, and then choose Create aplication configuration schema.

    4. In the Content section, choose either YAML or JSON and then enter the configuration data in the field.

  11. In the Service role section, choose New service role to have Amazon AppConfig create the IAM role that provides access to the configuration data. Amazon AppConfig automatically populates the Role name field based on the name you entered earlier. Or, choose Existing service role. Choose the role by using the Role ARN list.

  12. Optionally, on the Add validators page, choose either JSON Schema or Amazon Lambda. If you choose JSON Schema, enter the JSON Schema in the field. If you choose Amazon Lambda, choose the function Amazon Resource Name (ARN) and the version from the list.

    Important

    Configuration data stored in SSM documents must validate against an associated JSON Schema before you can add the configuration to the system. SSM parameters do not require a validation method, but we recommend that you create a validation check for new or updated SSM parameter configurations by using Amazon Lambda.

  13. Choose Next.

  14. On the Review and save page, choose Save and continue to deploy.

Important

If you created a configuration profile for Amazon CodePipeline, then you must create a pipeline in CodePipeline that specifies Amazon AppConfig as the deploy provider. You don't need to perform Deploying feature flags and configuration data in Amazon AppConfig. However, you must configure a client to receive application configuration updates as described in Retrieving configurations by directly calling APIs. For information about creating a pipeline that specifies Amazon AppConfig as the deploy provider, see Tutorial: Create a Pipeline that Uses Amazon AppConfig as a Deployment Provider in the Amazon CodePipeline User Guide.

Proceed to Deploying feature flags and configuration data in Amazon AppConfig.

Creating an Amazon AppConfig freeform configuration profile (command line)

The following procedure describes how to use the Amazon CLI (on Linux or Windows) or Amazon Tools for PowerShell to create an Amazon AppConfig freeform configuration profile. If you prefer, you can use Amazon CloudShell to run the commands listed below. For more information, see What is Amazon CloudShell? in the Amazon CloudShell User Guide.

Note

For freeform configurations hosted in the Amazon AppConfig hosted configuration store, you specify hosted for the location URI.

To create a configuration profile by using the Amazon CLI

  1. Open the Amazon CLI.

  2. Run the following command to create a freeform configuration profile.

    Linux
    aws appconfig create-configuration-profile \
  --application-id The_application_ID \
  --name A_name_for_the_configuration_profile \
  --description A_description_of_the_configuration_profile \
  --location-uri A_URI_to_locate_the_configuration or hosted \
  --retrieval-role-arn The_ARN_of_the_IAM_role_with_permission_to_access_the_configuration_at_the_specified_LocationUri \
  --tags User_defined_key_value_pair_metadata_of_the_configuration_profile \
  --validators "Content=JSON_Schema_content_or_the_ARN_of_an_Amazon Lambda_function,Type=JSON_SCHEMA or LAMBDA"
    Windows
    aws appconfig create-configuration-profile ^
  --application-id The_application_ID ^
  --name A_name_for_the_configuration_profile ^
  --description A_description_of_the_configuration_profile ^
  --location-uri A_URI_to_locate_the_configuration or hosted  ^
  --retrieval-role-arn The_ARN_of_the_IAM_role_with_permission_to_access_the_configuration_at_the_specified_LocationUri ^
  --tags User_defined_key_value_pair_metadata_of_the_configuration_profile ^
  --validators "Content=JSON_Schema_content_or_the_ARN_of_an_Amazon Lambda_function,Type=JSON_SCHEMA or LAMBDA"
    PowerShell
    New-APPCConfigurationProfile `
  -Name A_name_for_the_configuration_profile `
  -ApplicationId The_application_ID `
  -Description Description_of_the_configuration_profile `
  -LocationUri A_URI_to_locate_the_configuration or hosted `
  -RetrievalRoleArn The_ARN_of_the_IAM_role_with_permission_to_access_the_configuration_at_the_specified_LocationUri `
  -Tag Hashtable_type_user_defined_key_value_pair_metadata_of_the_configuration_profile `
  -Validators "Content=JSON_Schema_content_or_the_ARN_of_an_Amazon Lambda_function,Type=JSON_SCHEMA or LAMBDA"
Important

Note the following important information.

Proceed to Deploying feature flags and configuration data in Amazon AppConfig.