Parameter Store reference
A parameter is any piece of data stored in Parameter Store, such as a block of text, a list of names, an AMI ID, a merchant ID, or another configuration value. You can centrally reference this data in your scripts, commands, and SSM documents.
When you reference a parameter, you specify the parameter name using the following convention.
{{ssm:}}parameter-name
Note
Parameters can't be referenced or nested in the values of other parameters. You
can't include {{}} or
{{ssm: in a parameter
value.parameter-name}}
Parameter Store provides support for three types of parameters: String,
StringList, and SecureString.
With one exception, when you create or update a parameter, you enter the parameter
value as plaintext, and Parameter Store performs no validation on the text you enter. For
String parameters, however, you can specify the data type as
aws:ec2:image, and Parameter Store validates that the value you enter is the
proper format for an Amazon EC2 AMI; for example:
ami-12345abcdeEXAMPLE.
Parameter type: String
By default, the value of a String parameter consists of any block of
text you enter. For example:
-
abc123 -
Example Corp -
<img src="images/bannerImage1.png"/>
Parameter type: StringList
The values of StringList parameters contain a comma-separated list of
values, as shown in the following examples.
Monday,Wednesday,Friday
CSV,TSV,CLF,ELF,JSON
Parameter type: SecureString
Use SecureString for configuration values that require encryption, such as service endpoints and account identifiers. For secrets such as database credentials, API keys, or tokens, we recommend AWS Secrets Manager, which provides purpose built security controls including automatic rotation and cross-region replication.
Only the parameter value is encrypted. The parameter name, description, and other metadata aren't encrypted.
Parameter Store encrypts and decrypts SecureString parameter values
using an AWS KMS key. You can use the default AWS managed key for
Parameter Store or a customer managed key. Use a customer managed key when you need to restrict
which principals can decrypt particular parameters. For more information, see
Encrypting and decrypting parameters using AWS KMS keys.
Important
Note the following important information.
If you manage credentials that require automatic rotation, cross-account access, or fine-grained audit logging, we recommend using AWS Secrets Manager. Secrets Manager is purpose-built for managing secrets such as database credentials, API keys, and supported third-party software-vended secrets. For more information, see What is AWS Secrets Manager? in the AWS Secrets Manager User Guide.
Don't store sensitive data in a
StringorStringListparameter. For all sensitive data that must remain encrypted, use only theSecureStringparameter type.Only the value of a
SecureStringparameter is encrypted. Parameter names, descriptions, and other properties aren't encrypted.
You can use SecureString parameters with other
AWS services. The following Lambda function retrieves an encrypted merchant ID
from the /myapp/dev/vendor/merchant-id parameter. The function
uses the value without writing it to the function logs or returning it in the
response.
import json import boto3 ssm = boto3.client("ssm", region_name="us-east-1") def lambda_handler(event, context): response = ssm.get_parameter( Name="/myapp/dev/vendor/merchant-id", WithDecryption=True ) merchant_id = response["Parameter"]["Value"] # Use merchant_id when communicating with the vendor system. # Don't write the value to logs or include it in the response. return { "statusCode": 200, "body": json.dumps("Vendor configuration retrieved.") }
AWS KMS encryption and pricing
When you create a SecureString parameter, Systems Manager uses
AWS KMS to encrypt the parameter value.
Important
Parameter Store only supports symmetric encryption KMS keys. You can't use an asymmetric encryption KMS key to encrypt your parameters. For help determining whether a KMS key is symmetric or asymmetric, see Identifying symmetric and asymmetric KMS keys in the AWS Key Management Service Developer Guide
There is no charge from Parameter Store to create a
SecureString parameter, but charges for using AWS KMS can apply.
For more information, see
AWS Key Management Service pricing
For more information about AWS managed keys and customer managed keys, see AWS Key Management Service Concepts in the AWS Key Management Service Developer Guide. For more information about how Parameter Store uses AWS KMS, see How AWS Systems Manager Parameter Store uses AWS KMS.
Note
To view the default AWS managed key for Parameter Store, run the following command.
aws kms describe-key \ --region us-east-1 \ --key-id alias/aws/ssm
Parameter name constraints
Use the information in this topic to help you specify valid values for parameter names when you create a parameter.
This information supplements the details in the topic PutParameter in the AWS Systems Manager API Reference, which also provides information about the values AllowedPattern, Description, KeyId, Overwrite, Type, and Value.
The requirements and constraints for parameter names include the following:
-
Case sensitivity: Parameter names are case sensitive.
-
Spaces: Parameter names can't include spaces.
-
Valid characters: Parameter names can consist of the following symbols and letters only:
a-zA-Z0-9_.-In addition, the slash character ( / ) is used to delineate hierarchies in parameter names. For example:
/Dev/Production/East/Project-ABC/MyParameter -
Valid AMI format: When you choose
aws:ec2:imageas the data type for aStringparameter, the ID you enter must validate for the AMI ID formatami-12345abcdeEXAMPLE. -
Fully qualified: When you create or reference a parameter in a hierarchy, include a leading forward slash character (/) . When you reference a parameter that is part of a hierarchy, specify the entire hierarchy path including the initial slash (/).
-
Fully qualified parameter names:
MyParameter1,/MyParameter2,/Dev/Production/East/Project-ABC/MyParameter -
Not fully qualified parameter name:
MyParameter3/L1
-
-
Length: The maximum length for a parameter name that you specify is 1011 characters. This count of 1011 characters includes the characters in the ARN that precede the name you specify, such as the 45 characters in
arn:aws:ssm:us-east-2:111122223333:parameter/. -
Prefixes: A parameter name can't be prefixed with "
aws" or "ssm" (case-insensitive). For example, attempts to create parameters with the following names fail with an exception:-
awsTestParameter -
SSM-testparameter -
/aws/testparam1
Note
When you specify a parameter in an SSM document, command, or script, include
ssmas part of the syntax. For example, {{ssm:parameter-name}} and {{ ssm:parameter-name}}, such as{{ssm:MyParameter}}, and{{ ssm:MyParameter }}. -
-
Uniqueness: A parameter name must be unique within an AWS Region. For example, Systems Manager treats the following as separate parameters, if they exist in the same Region:
-
/Test/TestParam1 -
/TestParam1
The following examples are also unique:
-
/Test/TestParam1/Logpath1 -
/Test/TestParam1
The following examples, however, if in the same Region, aren't unique:
-
/TestParam1 -
TestParam1
-
-
Hierarchy depth: If you specify a parameter hierarchy, the hierarchy can have a maximum depth of fifteen levels. You can define a parameter at any level of the hierarchy. Both of the following examples are structurally valid:
-
/Level-1/L2/L3/L4/L5/L6/L7/L8/L9/L10/L11/L12/L13/L14/parameter-name -
parameter-name
Attempting to create the following parameter would fail with a
HierarchyLevelLimitExceededExceptionexception:-
/Level-1/L2/L3/L4/L5/L6/L7/L8/L9/L10/L11/L12/L13/L14/L15/L16/parameter-name
-
Important
If a user has access to a path, then the user can access all levels of
that path. For example, if a user has permission to access path
/a, then the user can also access
/a/b. Even if a user has explicitly been denied
access in AWS Identity and Access Management (IAM) for parameter /a/b, they
can still call the GetParametersByPath API operation recursively for
/a and view /a/b.