Menu
Amazon EC2 Systems Manager
User Guide

Systems Manager Parameter Store Walkthroughs

Use the following walkthroughs to create, store, and execute parameters with Parameter Store in a test environment.

Grant Your User Account Access to Systems Manager

Your user account must be configured to communicate with the Systems Manager API. Use the following procedure to attach a managed IAM policy to your user account that grants you full access to Systems Manager API actions.

To create the IAM policy for your user account

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies. (If this is your first time using IAM, choose Get Started, and then choose Create Policy.)

  3. In the Filter field, type AmazonSSMFullAccess and press Enter.

  4. Select the check box next to AmazonSSMFullAccess and then choose Policy Actions, Attach.

  5. On the Attach Policy page, choose your user account and then choose Attach Policy.

Launch a New Instance

Use the following procedure to create a test instance with the required AWS Identity and Access Management (IAM) role. The role enables the instance to communicate with the Systems Manager API.

To create an instance that uses a Systems Manager-supported role

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select a supported region.

  3. Choose Launch Instance and select an Amazon Machine Image (AMI).

  4. Choose your instance type and then choose Next: Configure Instance Details.

  5. In Auto-assign Public IP, choose Enable.

  6. Beside IAM role choose Create new IAM role. The IAM console opens in a new tab.

    1. Choose Create New Role.

    2. In Step 1: Set Role Name, enter a name that identifies this role as a Systems Manager role.

    3. In Step 2: Select Role Type, choose Amazon EC2 Role for Simple Systems Manager. The system skips Step 3: Establish Trust because this is a managed policy.

    4. In Step 4: Attach Policy, choose AmazonEC2RoleforSSM.

    5. Choose Next Step, and then choose Create Role.

    6. Close the tab with the IAM console.

  7. In the Amazon EC2 console, choose the Refresh button beside Create New IAM role.

  8. From IAM role, choose the role you just created.

  9. Complete the wizard to launch the new instance. Make a note of the instance ID. You will need to specify this ID later in this walkthrough.

Important

On Linux instances, you must install the SSM Agent on the instance you just created. For more information, see Installing SSM Agent on Linux.

To assign the role to one of your existing instances, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide.

Systems Manager Parameter Store Console Walkthrough

The following procedure walks you through the process of creating a parameter in Parameter Store and then executing a Run Command command that uses this parameter.

To create a parameter using Parameter Store

  1. Open the Amazon EC2 console, expand Systems Manager Shared Resources in the navigation pane, and then choose Parameter Store.

  2. Choose Create Parameter.

  3. For Name, type helloWorld.

  4. In the Description field, type a description that identifies this parameter as a test parameter.

  5. For Type, choose String.

  6. In the Value field, echo a word.

  7. Choose Create Parameter and then choose OK after the system creates the parameter.

  8. In the EC2 console navigation pane, expand Commands and then choose Run Command.

  9. Choose Run a command.

  10. In the Command Document list, choose AWS-RunPowershellScript (Windows) or AWS-RunShellScript (Linux).

  11. Under Target instances, choose the instance you created earlier.

  12. In the Commands field, type echo {{ssm:helloWorld}} and then choose Run.

  13. In the command history list, choose the command you just ran, choose the Output tab, and then choose View Output.. They output is the name of the parameter you created earlier, for example, {{ssm:helloWorld}}.

Systems Manager Parameter Store CLI Walkthrough

The following procedure walks you through the process of creating and storing a parameter using the AWS CLI.

To create a String parameter using Parameter Store

  1. Download the AWS CLI to your local machine.

  2. Execute the following command to create a parameter that uses the String data type.

    Copy
    aws ssm put-parameter --name a name --type String –-value "a value, for example "helloWorld""
  3. Execute the following command to view the parameter metadata.

    Copy
    aws ssm describe-parameters --filters "Key=Name,Values=helloWorld"
  4. Execute the following command to change the parameter value.

    Copy
    aws ssm put-parameter --name "helloWorld" --type String --value ""good day sunshine"" --overwrite
  5. Execute the following command to view the latest parameter value.

    Copy
    aws ssm get-parameters --name "helloWorld"
  6. Execute the following command to view the parameter value history.

    Copy
    aws ssm get-parameter-history --name "helloWorld"
  7. Execute the following command to use this parameter in a Run Command command.

    Copy
    aws ssm send-command --name "AWS-RunPowerShellScript" --parameters "commands=["echo {{ssm:helloWorld}}"]" --targets "Key=instanceids,Values=the ID of the instance you created earlier"

To create a Secure String parameter using Parameter Store

  1. Execute one of the following commands to create a parameter that uses the Secure String data type.

    Create a Secure String parameter that uses your default KMS key

    Copy
    aws ssm put-parameter --name "a name" --value "a value, for example P@ssW%rd#1" --type "SecureString"

    Create a Secure String parameter that uses a custom KMS key

    Copy
    aws ssm put-parameter --name "a name" --value "a value, for example P@ssW%rd#1" --type "SecureString" --key-id "your AWS user account alias/the custom KMS key"
  2. Execute the following command to view the parameter metadata.

    Copy
    aws ssm describe-parameters --filters "Key=Name,Values=the name that you specified"
  3. Execute the following command to change the parameter value.

    Updating a Secure String parameter that uses your default KMS key

    Copy
    aws ssm put-parameter --name "the name that you specified" --value "new value" --type "SecureString" --overwrite

    Updating a Secure String parameter that uses a custom KMS key

    Copy
    aws ssm put-parameter --name "the name that you specified" --value "new value" --type "SecureString" --key-id "your AWS user account alias/the custom KMS key" --overwrite
  4. Execute the following command to view the latest parameter value.

    Copy
    aws ssm get-parameters --names "the name that you specified" --with-decryption
  5. Execute the following command to view the parameter value history.

    Copy
    aws ssm get-parameter-history --name "the name that you specified"