aws ssm get-parameter: Usage & Common CI Errors
Read configuration and secrets from SSM Parameter Store.
aws ssm get-parameter retrieves a single parameter from Systems Manager Parameter Store - plaintext config or, with decryption, an encrypted SecureString. It is a lightweight alternative to Secrets Manager.
What it does
aws ssm get-parameter --name <name> returns the parameter’s value and metadata. SecureString parameters come back encrypted unless you add --with-decryption, which transparently decrypts via the backing KMS key. Use --query "Parameter.Value" --output text to extract just the value for a shell variable.
Common usage
# Read a plaintext parameter value
aws ssm get-parameter --name /app/region \
--query Parameter.Value --output text
# Read and decrypt a SecureString
DB_PASS=$(aws ssm get-parameter --name /app/db/password \
--with-decryption --query Parameter.Value --output text)
# Fetch many at once
aws ssm get-parameters-by-path --path /app/ --recursive --with-decryptionCommon error in CI: encrypted value returned / AccessDenied on kms:Decrypt
Forgetting --with-decryption returns the ciphertext of a SecureString (not the secret), silently breaking the job. Adding it but lacking KMS access fails with "AccessDenied ... not authorized to perform: kms:Decrypt". Fix: pass --with-decryption for SecureStrings, and grant the CI role both ssm:GetParameter on the parameter ARN and kms:Decrypt on the key ARN that encrypted it. A "ParameterNotFound" error usually means a leading-slash/name mismatch - names are case-sensitive and path-style.
Key options
| Option | Purpose |
|---|---|
| --name | Parameter name (path-style) |
| --with-decryption | Decrypt SecureString values |
| --query Parameter.Value | Extract just the value |
| get-parameters-by-path | Fetch a whole prefix at once |