Skip to content
Latchkey

chamber exec: Inject SSM Secrets into a Command

chamber exec reads the secrets stored under one or more SSM service prefixes and runs the command after -- with them exported.

Chamber stores secrets as SSM parameters organized by service. chamber exec injects a service's parameters into a process, so CI apps read them from the environment with no plaintext on disk.

What it does

chamber exec fetches all parameters under the given service prefixes from AWS SSM Parameter Store, sets them as environment variables, and runs the command listed after --. Multiple services can be merged in order.

Common usage

Terminal
chamber exec myservice -- ./run.sh
chamber exec app shared -- node server.js
# start from a clean environment
chamber exec --pristine myservice -- printenv

Options

FlagWhat it does
<services...>One or more SSM service prefixes to load
-- <command>Command to run with parameters injected
--pristineOnly pass chamber-provided vars, dropping the inherited env
-b, --backend <name>Secret backend (ssm, secretsmanager, s3, etc.)
CHAMBER_KMS_KEY_ALIASKMS key alias used to decrypt SecureString params

In CI

Give the runner an IAM role with ssm:GetParametersByPath and kms:Decrypt for the parameter path and its KMS key, ideally via OIDC rather than static keys. Use --pristine when you want the child to see only the injected secrets.

Common errors in CI

"AccessDeniedException: User ... is not authorized to perform: ssm:GetParametersByPath" means the IAM role lacks SSM read on that path. A KMS "AccessDeniedException" on decrypt means kms:Decrypt is missing for the SecureString key. "NoCredentialProviders" or "Unable to locate credentials" means no AWS credentials are configured on the runner.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →