Skip to content
Latchkey

chamber read: Read One SSM Secret Value

chamber read fetches one secret identified by service and key from SSM Parameter Store and prints its value and metadata.

For a single value rather than a whole service, chamber read is the targeted command. With --quiet it prints just the value, which is what a script wants.

What it does

chamber read looks up the parameter <service>/<key> in SSM and prints its current value along with version and modification metadata. --quiet suppresses everything but the value.

Common usage

Terminal
chamber read myservice DB_PASSWORD
# just the value, for capture in a script
chamber read --quiet myservice DB_PASSWORD
# a specific historical version
chamber read myservice DB_PASSWORD -v 3

Options

FlagWhat it does
<service> <key>Service prefix and parameter key to read
-q, --quietPrint only the value, no metadata
-v, --version <n>Read a specific parameter version
-b, --backend <name>Secret backend (ssm, secretsmanager, s3, etc.)

In CI

Use --quiet to capture the raw value and pipe it directly into the consumer; do not echo it. The IAM role needs ssm:GetParameter and kms:Decrypt for the SecureString key. Prefer chamber exec when a process needs many values at once.

Common errors in CI

"AccessDeniedException ... ssm:GetParameter" means the role cannot read that parameter. "Unable to locate credentials" means no AWS credentials on the runner. A read that returns nothing for a known key usually means the wrong service prefix or region (set AWS_REGION).

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →