aws ssm put-parameter: Write Parameter Store Values
aws ssm put-parameter creates or updates a Parameter Store entry of type String, StringList, or SecureString, with --overwrite required to change an existing value.
Pipelines stash deploy outputs and config in Parameter Store for later stages. The two CI traps are forgetting --overwrite on updates and choosing the right type/KMS key for secrets.
What it does
aws ssm put-parameter writes --value to --name with --type String, StringList, or SecureString. SecureString encrypts with a KMS key (--key-id, defaulting to the AWS-managed alias/aws/ssm). Updating an existing parameter requires --overwrite, otherwise it is treated as a create and fails.
Common usage
aws ssm put-parameter \
--name /myapp/prod/release-sha \
--value "$GITHUB_SHA" \
--type String \
--overwrite
# A secret as SecureString with a customer KMS key
aws ssm put-parameter \
--name /myapp/prod/api-key --type SecureString \
--key-id alias/ci-secrets --value "$API_KEY" --overwriteOptions
| Flag | What it does |
|---|---|
| --name <name> | Parameter name/path (required) |
| --value <val> | Value to store (required) |
| --type String|StringList|SecureString | Parameter type |
| --overwrite | Required to update an existing parameter |
| --key-id <kms> | KMS key for SecureString (default alias/aws/ssm) |
| --tier Standard|Advanced | Advanced allows larger values / more params |
In CI
Always pass --overwrite in idempotent pipelines or a re-run fails on the second deploy. Use SecureString with a customer-managed KMS key for anything sensitive so access is auditable and revocable. Values over 4KB need --tier Advanced (which is billed), so keep large config out of Parameter Store.
Common errors in CI
"An error occurred (ParameterAlreadyExists) when calling the PutParameter operation: The parameter already exists. To overwrite this value, set the overwrite option in the request to true" is the missing---overwrite case. "ValidationException: ... value ... exceeded maximum allowed size" means use --tier Advanced. "AccessDeniedException" means missing ssm:PutParameter or, for SecureString, kms:Encrypt on the key.