This is the AWS CDK v2 Developer Guide. The older CDK v1 entered maintenance on June 1, 2022 and will now receive only critical bug fixes and security patches. New features will be developed for CDK v2 exclusively. Support for CDK v1 will end entirely on June 1, 2023.
Get a value from the Systems Manager Parameter Store
The AWS CDK can retrieve the value of AWS Systems Manager Parameter Store attributes. During synthesis, the AWS CDK produces a token that is resolved by AWS CloudFormation during deployment.
The AWS CDK supports retrieving both plain and secure values. You may request a specific version of either kind of value. For plain values only, you may omit the version from your request to receive the latest version. You must always specify the version when requesting the value of a secure attribute.
Note
This topic shows how to read attributes from the AWS Systems Manager Parameter Store. You can also read secrets from the AWS Secrets Manager (see Get a value from AWS Secrets Manager).
Reading Systems Manager values at deployment time
To read values from the Systems Manager Parameter Store, use the valueForStringParameter and valueForSecureStringParameter methods. Choose a method based on whether the attribute you want is a plain string or a secure string value. These methods return tokens, not the actual value. The value is resolved by AWS CloudFormation during deployment.
A limited number of AWS services currently support this feature.
Reading Systems Manager values at synthesis time
It is sometimes useful to "bake in" a parameter at synthesis time. This way, the resulting AWS CloudFormation template always uses the same value, instead of resolving the value during deployment.
To read a value from the Systems Manager Parameter Store at synthesis time, use the valueFromLookup method (Python: value_from_lookup
). This method
returns the actual value of the parameter as a Runtime context value. If the value
is not already cached in cdk.json
or passed on the command line, it is
retrieved from the current AWS account. For this reason, the stack must
be synthesized with explicit account and Region information.
Only plain Systems Manager strings may be retrieved, not secure strings. It is not possible to request a specific version; the latest version is always returned.
Important
The retrieved value will end up in your synthesized AWS CloudFormation template. This might be a security risk, depending on who has access to your AWS CloudFormation templates and what kind of value it is. Generally, don't use this feature for passwords, keys, or other values you want to keep private.
Writing values to Systems Manager
You can use the AWS CLI, the AWS Management Console, or an AWS SDK to set Systems Manager parameter values. The following examples use the ssm put-parameter CLI command.
aws ssm put-parameter --name "parameter-name" --type "String" --value "parameter-value" aws ssm put-parameter --name "secure-parameter-name" --type "SecureString" --value "secure-parameter-value"
When updating an SSM value that already exists, also include the --overwrite
option.
aws ssm put-parameter --overwrite --name "parameter-name" --type "String" --value "parameter-value" aws ssm put-parameter --overwrite --name "secure-parameter-name" --type "SecureString" --value "secure-parameter-value"