Skip to content
Latchkey

How to Fetch SSM Parameter Store Values in GitHub Actions

After OIDC auth, the AWS CLI reads parameters by path; mask SecureString values before writing them to GITHUB_ENV.

Use aws ssm get-parameters-by-path --with-decryption to read a tree of parameters, then ::add-mask:: each value before appending it to $GITHUB_ENV.

Steps

  • Configure AWS credentials with OIDC (id-token: write).
  • Call aws ssm get-parameter or get-parameters-by-path --with-decryption.
  • Mask each SecureString value with ::add-mask:: before exporting it.
  • Append NAME=value to $GITHUB_ENV for later steps.

Workflow

.github/workflows/ci.yml
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::111122223333:role/gha-ci
      aws-region: us-east-1
  - name: Load DB password from Parameter Store
    run: |
      VALUE=$(aws ssm get-parameter --name /prod/app/db_password \
        --with-decryption --query 'Parameter.Value' --output text)
      echo "::add-mask::$VALUE"
      echo "DB_PASSWORD=$VALUE" >> "$GITHUB_ENV"

Gotchas

  • Always pass --with-decryption for SecureString parameters, or you get the ciphertext back.
  • The role needs ssm:GetParameter/GetParametersByPath plus kms:Decrypt for SecureStrings.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →