How to Fetch SSM Parameter Store Values in GitHub Actions
After OIDC auth, the AWS CLI reads parameters by path; mask SecureString values before writing them to GITHUB_ENV.
Use aws ssm get-parameters-by-path --with-decryption to read a tree of parameters, then ::add-mask:: each value before appending it to $GITHUB_ENV.
Steps
- Configure AWS credentials with OIDC (
id-token: write). - Call
aws ssm get-parameterorget-parameters-by-path --with-decryption. - Mask each SecureString value with
::add-mask::before exporting it. - Append
NAME=valueto$GITHUB_ENVfor later steps.
Workflow
.github/workflows/ci.yml
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::111122223333:role/gha-ci
aws-region: us-east-1
- name: Load DB password from Parameter Store
run: |
VALUE=$(aws ssm get-parameter --name /prod/app/db_password \
--with-decryption --query 'Parameter.Value' --output text)
echo "::add-mask::$VALUE"
echo "DB_PASSWORD=$VALUE" >> "$GITHUB_ENV"Gotchas
- Always pass
--with-decryptionfor SecureString parameters, or you get the ciphertext back. - The role needs
ssm:GetParameter/GetParametersByPathpluskms:Decryptfor SecureStrings.
Related guides
How to Load AWS Secrets Manager Secrets in GitHub ActionsPull secrets from AWS Secrets Manager into GitHub Actions env vars with aws-actions/aws-secretsmanager-get-se…
How to Assume an AWS Role With OIDC Instead of Static Keys in GitHub ActionsReplace long-lived AWS access keys in GitHub Actions with short-lived OIDC credentials by assuming an IAM rol…