AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.
In this lab you will create a Secure String parameter and retrieve it using the Console and CLI.
Fill out the data for adding your secret
KMS Key Source: My current account (uses the default KMS key or specify a CMK of your choice)
KMS Key ID: alias/aws/ssm (AWS managed key for Systems Manager)
Value: This is your secret data whether that is configuration data, passwords, connection strings, etc…
Tags: your choice – this is ideal to organize your secrets so you do not get lost –
Select Create Parameter
You are brought back to the Parameter Store home screen and now select your new secret
You can Select Show to reveal the contents of the secret
History will show you the users who created, updated, or deleted the secret
Versions of the parameter are kept but if you delete the parameter then the history is deleted as well
Most use cases you would not be using the Management Console to retrieve your secrets. You would be using the CLI or SDK to programmatically gather this information as part of the task you are performing. Below is a basic exercise to gather the secret you made previously.
Navigate back to https://dashboard.eventengine.run
Pull up the credentials from the Event Engine Dashboard
Select AWS Console
Gather your access keys
Install AWS CLI - https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
Once installed run aws configure and use the access keys above. Set region to
We made our secret a SecureString – When we run aws ssm get-parameter without the decryption flag you can see the value of the parameter is obscured
Command: aws ssm get-parameter --name “YOURNAME-secret1”
Now we add the with decryption flag
Command: aws ssm get-parameter --name "YOURNAME-secret1" --with-decryption
You can see that the value is now in plain text
Then you would parse the JSON output with something like jq to be able to get the raw value
Command: aws ssm get-parameter --name "YOURNAME-secret1" --with-decryption | jq -r ".Parameter.Value"