AWS SSM Parameter Store

Mohamed El ErakiMohamed El Eraki
6 min read

Table of contents

Inception

Hello everyone, This article is part of The Terraform + AWS series, And it does not depend on any other article, I use this series to publish-out AWS + Terraform Projects & Knowledge.

This Article is written down based on AWS Documentation and Practical experience with summarizing, collecting, and listing down the important points.

Overview

Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter. To get started with Parameter Store, open the Systems Manager console. In the navigation pane, choose Parameter Store.

Parameter Store is also integrated with Secrets Manager. You can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. For more information, see Referencing AWS Secrets Manager secrets from Parameter Store parameters.

Note

To implement password rotation lifecycles, use AWS Secrets Manager. You can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle using Secrets Manager. For more information, see What is AWS Secrets Manager? in the AWS Secrets Manager User Guide.

Today’s Article will Discover how to set and retrieve private and public parameter stores besides configuring environment variables

Managing parameter tiers

Parameter Store, a capability of AWS Systems Manager, includes standard parameters and advanced parameters. You individually configure parameters to use either the standard-parameter tier (the default tier) or the advanced-parameter tier.

You can change a standard parameter to an advanced parameter at any time, but you can’t revert an advanced parameter to a standard parameter. This is because reverting an advanced parameter to a standard parameter would cause the system to truncate the size of the parameter from 8 KB to 4 KB, resulting in data loss. Reverting would also remove any policies attached to the parameter. Also, advanced parameters use a different form of encryption than standard parameters. For more information, see How AWS Systems Manager Parameter Store uses AWS KMS in the AWS Key Management Service Developer Guide.

If you no longer need an advanced parameter, or if you no longer want to incur charges for an advanced parameter, delete it and recreate it as a new standard parameter.

The following table describes the differences between the tiers.

StandardAdvanced
Total number of parameters allowed10,000100,000
Maximum size of a parameter value4 KB8 KB
Parameter policies availableNoYes

For more information, see Assigning parameter policies in Parameter Store.

For more information, see AWS Systems Manager Pricing for Parameter Store

Specifying a default parameter tier

In requests to create or update a parameter (that is, the PutParameter operation), you can specify the parameter tier to use in the request. The following is an example, using the AWS Command Line Interface (AWS CLI).

aws ssm put-parameter \
    --name "default-ami" \
    --type "String" \
    --value "t2.micro" \
    --tier "Standard"

aws ssm put-parameter ^
    --name "default-ami" ^
    --type "String" ^
    --value "t2.micro" ^
    --tier "Standard"

Whenever you specify a tier in the request, Parameter Store creates or updates the parameter according to your request. However, if you don't explicitly specify a tier in a request, the Parameter Store default tier setting determines which tier the parameter is created in.

The default tier when you begin using Parameter Store is the standard-parameter tier. If you use the advanced-parameter tier, you can specify one of the following as the default:

  • Advanced: With this option, Parameter Store evaluates all requests as advanced parameters.

  • Intelligent-Tiering: With this option, Parameter Store evaluates each request to determine if the parameter is standard or advanced.

    If the request doesn't include any options that require an advanced parameter, the parameter is created in the standard-parameter tier. If one or more options requiring an advanced parameter are included in the request, Parameter Store creates a parameter in the advanced-parameter tier.

💡
you have the ability to change the default tiering by accessing the web console of the aws SSM parameter store after creating your first parameter.

Set a parameter value

  • Open-up AWS SSM, on the left bar press Parameter Store.

  • Create Parameter, Specify “Test01” as a name, and leave all as default.

  • Press Creare a parameter.

Retrieve and Set an environment variable

Retrieve value

aws ssm get-parameter --name <"your_parameter_name"> --with-decryption --profile <profile name>

$ aws ssm get-parameter --name "Test01" --with-decryption --profile pftest  --output json | jq >> parameterStore.json
$ jq 'Parameter.Value' parameterStore.json

Or

aws ssm get-parameter --name "Test01" --with-decryption --profile pftest --output json | jq '.Parameter.Value'

Setting an environment variable

parameter_value=$(aws ssm get-parameter --name "Test01" --with-decryption --profile pftest --output json | jq '.Parameter.Value')
💡
Therefore you can use it in an automated way, into your pipeline for example.

Discover public parameters

Public parameters are parameters owned and maintained by other AWS services. Using public parameters, you can onboard other AWS services that reference common configuration data like EC2 AMI data. Unlike normal parameters, you do not need to manage public parameters.

You can find public parameters using the Public parameters tab. First, select a service. This populates the table with parameters owned by that service. Then, you can use the filter bar to further refine the results.

Retrieve public parameter values

List Parameter

aws ssm get-parameters-by-path --path "/aws/service/ami-amazon-linux-latest/" --output json --profile pftest

Get the latest EC2 AMI Value

aws ssm get-parameters --name "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-arm64" --output json --profile pftest
{
    "Parameters": [
        {
            "Name": "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-arm64",
            "Type": "String",
            "Value": "ami-02801556a781a4499",
            "Version": 64,
            "LastModifiedDate": "2024-10-19T01:46:29.976000+03:00",
            "ARN": "arn:aws:ssm:us-east-1::parameter/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-arm64",
            "DataType": "text"
        }
    ],
    "InvalidParameters": []
}

Set it as an environment variable

$ pubParam_linAmi=$(aws ssm get-parameter --name "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-arm64" --output json --profile pftest | jq '.Parameter.Value')
$ $pubParam_linAmi

Notes:

  1. use get-parameter instead of get-parameters while setting an environment variable.

  2. use --get-parameter with --name instead of get-parameters-by-path --path while setting environment variables.

Resources

That's it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you

0
Subscribe to my newsletter

Read articles from Mohamed El Eraki directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ssmAWS

Written by

Mohamed El Eraki
Mohamed El Eraki

Cloud & DevOps Engineer, Linux & Windows SysAdmin, PowerShell, Bash, Python Scriptwriter, Passionate about DevOps, Autonomous, and Self-Improvement, being DevOps Expert is my Aim.