Skip to content
Latchkey

aws ssm get-parameter: Read Config from SSM in CI

Fetch a single Parameter Store value, decrypting SecureStrings on demand.

aws ssm get-parameter reads one value from SSM Parameter Store. With --with-decryption it returns the plaintext of a SecureString. In CI it pulls non-secret config and lightweight secrets into the environment without baking them into the pipeline.

Common flags

  • --name - the parameter name/path (required)
  • --with-decryption - decrypt a SecureString value
  • --query "Parameter.Value" - extract just the value
  • --output text - emit plain text for shell capture

Example in CI

Read a decrypted SecureString into a variable.

shell
aws ssm get-parameter --name /app/prod/db-url --with-decryption --query "Parameter.Value" --output text

Common errors in CI

  • An error occurred (ParameterNotFound) - name/path wrong or in another region
  • An error occurred (AccessDeniedException) - role lacks ssm:GetParameter (and kms:Decrypt for SecureString)
  • Value returned encrypted - forgot --with-decryption on a SecureString

Key takeaways

  • Add --with-decryption to read SecureString plaintext.
  • Decrypting needs both ssm:GetParameter and kms:Decrypt on the KMS key.
  • Mask the value in CI logs; never echo a decrypted secret.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →