How to create, get and delete secrets in AWS Parameter Store using CLI

woman holding macbook
Reading Time: 4 minutes

Hello Readers!! In this blog, we will see how to create, get and delete secrets in the AWS parameter store using CLI. In my previous blog, we have seen what is AWS Parameter store and how we can create parameters using the AWS console. Follow the below blog for more information:

https://blog.knoldus.com/getting-started-with-aws-parameter-store/

Prerequisites:

  1. Install AWS CLI on your system. Follow the following blog for steps for installation:

https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

  1. Configure AWS CLI.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html

Now, let’s get started with AWS CLI!!

Create parameter in Parameter store:

Use put-parameter to create and store a parameter in the AWS Parameter store. Below is the format for reference:

$ aws ssm put-parameter --name <name_of_parameter> --value <parameter_value> --type <type_of_parameter>
$ aws ssm put-parameter --name LINUX-AMI --value abcd12345 --type String 
aws ssm

For verifying that everything is stored in the file use get-parameter. So, for pulling the parameter use the following format:

$ aws ssm get-parameter --name <name_of_parameter>
$ aws ssm get-parameter --name LINUX-AMI
aws ssm get-parameter

We can now see the value. As this parameter is of type string. So, it is not encrypted.

What if we want to store a password or an API key which I do not want to reveal. So, for this use type as SecureString.

$ aws ssm put-parameter --name <name_of_parameter> --value <parameter_value> --type SecureString
$ aws ssm put-parameter --name Password --value mySecretPasswordhere --type SecureString
put-parameter

Now, if I want to get this parameter then it will not give me the actual value. It will provide parameter store value in encrypted format because it is of type SecureString. Use the following command for getting the value:

$ aws ssm get-parameter --name <name_of_parameter>
$ aws ssm get-parameter --name Password
create parameter

If we want to get this value in decrypted format. Use the following command:

$ aws ssm get-parameter --name <name_of_parameter> –with-decryption
$ aws ssm get-parameter --name Password –with-decryption
get-parameter

Create Nested Parameter store:

Now, we will see how we can create a hierarchical parameter store or we can say nested parameter store. For this use the below command:

$ aws ssm put-parameter --name <nested_path_for_parameter> --value <parameter_value> --type SecureString
$ aws ssm put-parameter --name /myDb/MySQL/Db_password --value myDBSecretPasswordhere --type SecureString
aws ssm

We can see in the AWS console also:

parameter store

It is created. 

For getting parameters use the command:

$ aws ssm get-parameter --name /myDb/MySQL/Db_password 
get AWS Parameter Store

As its type is SecureString it is in an encrypted format.

Update the parameter value:

If I want to update the existing parameter value use –overwrite flag. It will create a new version of that parameter store. Use the below command for updating the value:

$ aws ssm put-parameter --name <name_of_parameter> --overwrite --value <parameter_new_value> --type String
$ aws ssm put-parameter --name LINUX-AMI --overwrite --value new_password --type String
update the parameter value

Create a parameter in other tiers:

By default, any parameter is created in the standard tier. But If you want to create in the Advanced tier use:

$  aws ssm put-parameter --name <name_of_parameter>  --value <parameter_value> --type <type> --tier Advanced
$  aws ssm put-parameter --name my_Password --value mySecretPasswordhere --type SecureString --tier Advanced
AWS Parameter Store

As you can see below advanced tier parameter in the AWS console:

AWS console

Delete a parameter from the parameter store:

For deleting a parameter from the parameter store use the following command:

$ aws ssm delete-parameter --name my_Password 
$ aws ssm delete-parameter --name my_Password 
delete-parameter

If I will try to get this parameter it will show ParameterNotFound.

We are all done now!!

Conclusion:

Thank you for sticking to the end. In this blog, we have learned how to create, get and delete secrets in the AWS parameter stores using CLI. This is really very quick and simple.  I hope this blog helped you somewhere. If you like this blog, please share my blog and show your appreciation by giving thumbs-ups, and don’t forget to give me suggestions on how I can improve my future blogs that can suit your needs.

HAPPY LEARNING! 

Written by 

Naincy Kumari is a DevOps Consultant at Knoldus Inc. She is always ready to learn new technologies and tools. She loves painting and dancing.

Leave a Reply