Skip to content
Latchkey

aws ssm put-parameter: Write Parameter Store Values

aws ssm put-parameter creates or updates a Parameter Store entry of type String, StringList, or SecureString, with --overwrite required to change an existing value.

Pipelines stash deploy outputs and config in Parameter Store for later stages. The two CI traps are forgetting --overwrite on updates and choosing the right type/KMS key for secrets.

What it does

aws ssm put-parameter writes --value to --name with --type String, StringList, or SecureString. SecureString encrypts with a KMS key (--key-id, defaulting to the AWS-managed alias/aws/ssm). Updating an existing parameter requires --overwrite, otherwise it is treated as a create and fails.

Common usage

Terminal
aws ssm put-parameter \
  --name /myapp/prod/release-sha \
  --value "$GITHUB_SHA" \
  --type String \
  --overwrite
# A secret as SecureString with a customer KMS key
aws ssm put-parameter \
  --name /myapp/prod/api-key --type SecureString \
  --key-id alias/ci-secrets --value "$API_KEY" --overwrite

Options

FlagWhat it does
--name <name>Parameter name/path (required)
--value <val>Value to store (required)
--type String|StringList|SecureStringParameter type
--overwriteRequired to update an existing parameter
--key-id <kms>KMS key for SecureString (default alias/aws/ssm)
--tier Standard|AdvancedAdvanced allows larger values / more params

In CI

Always pass --overwrite in idempotent pipelines or a re-run fails on the second deploy. Use SecureString with a customer-managed KMS key for anything sensitive so access is auditable and revocable. Values over 4KB need --tier Advanced (which is billed), so keep large config out of Parameter Store.

Common errors in CI

"An error occurred (ParameterAlreadyExists) when calling the PutParameter operation: The parameter already exists. To overwrite this value, set the overwrite option in the request to true" is the missing---overwrite case. "ValidationException: ... value ... exceeded maximum allowed size" means use --tier Advanced. "AccessDeniedException" means missing ssm:PutParameter or, for SecureString, kms:Encrypt on the key.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →