chamber read: Read One SSM Secret Value
chamber read fetches one secret identified by service and key from SSM Parameter Store and prints its value and metadata.
For a single value rather than a whole service, chamber read is the targeted command. With --quiet it prints just the value, which is what a script wants.
What it does
chamber read looks up the parameter <service>/<key> in SSM and prints its current value along with version and modification metadata. --quiet suppresses everything but the value.
Common usage
chamber read myservice DB_PASSWORD
# just the value, for capture in a script
chamber read --quiet myservice DB_PASSWORD
# a specific historical version
chamber read myservice DB_PASSWORD -v 3Options
| Flag | What it does |
|---|---|
| <service> <key> | Service prefix and parameter key to read |
| -q, --quiet | Print only the value, no metadata |
| -v, --version <n> | Read a specific parameter version |
| -b, --backend <name> | Secret backend (ssm, secretsmanager, s3, etc.) |
In CI
Use --quiet to capture the raw value and pipe it directly into the consumer; do not echo it. The IAM role needs ssm:GetParameter and kms:Decrypt for the SecureString key. Prefer chamber exec when a process needs many values at once.
Common errors in CI
"AccessDeniedException ... ssm:GetParameter" means the role cannot read that parameter. "Unable to locate credentials" means no AWS credentials on the runner. A read that returns nothing for a known key usually means the wrong service prefix or region (set AWS_REGION).