Add AWS SSM Parameter Store secrets adapter documentation

Document the new aws_ssm_parameter_store adapter and include a
comparison table between 1Password, AWS Secrets Manager, and
AWS SSM Parameter Store.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: davafons

docs/commands/secrets.md

@@ -135,6 +135,45 @@ kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 
 **Note:** The `--account` option should be set to your AWS CLI profile name, which is typically `default`. Ensure that your AWS CLI is configured with the necessary permissions to access AWS Secrets Manager.
 
+## AWS SSM Parameter Store
+
+[AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) provides secure, hierarchical storage for configuration data and secrets management.
+
+First, install and configure [the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+
+Use the adapter `aws_ssm_parameter_store`:
+
+```bash
+# Fetch parameters
+kamal secrets fetch --adapter aws_ssm_parameter_store --account default --from /myapp KEY1 KEY2
+
+# Fetch parameters without a prefix
+kamal secrets fetch --adapter aws_ssm_parameter_store --account default KEY1
+
+# Fetch parameters without specifying a profile (uses default AWS credentials)
+kamal secrets fetch --adapter aws_ssm_parameter_store --from /myapp KEY1 KEY2
+
+# Extract the secret
+kamal secrets extract KEY1 <SECRETS-FETCH-OUTPUT>
+kamal secrets extract /myapp/KEY1 <SECRETS-FETCH-OUTPUT>
+```
+
+**Note:** The `--account` option maps to the AWS CLI `--profile` flag. If omitted, the default AWS credential chain is used. All parameters are fetched with `--with-decryption`, so SecureString parameters are automatically decrypted.
+
+### Comparing AWS secret stores with 1Password
+
+| | 1Password | AWS Secrets Manager | AWS SSM Parameter Store |
+|---|---|---|---|
+| **Cost** | Paid plan required | $0.40/secret/month + $0.05 per 10K API calls | Free for Standard parameters (up to 10K); $0.05 per 10K API calls for Advanced |
+| **Best for** | Teams already using 1Password for password management | Storing complex secrets (JSON blobs, certificates, API keys) | Simple key-value configuration and secrets |
+| **Secret size** | Up to 1 MB per item | Up to 64 KB per secret | Up to 4 KB (Standard) or 8 KB (Advanced) |
+| **Rotation** | Manual | Built-in automatic rotation with Lambda | No built-in rotation |
+| **Versioning** | Version history included | Automatic versioning | Automatic versioning |
+| **Encryption** | End-to-end encryption | AWS KMS | AWS KMS (SecureString type) |
+| **Access control** | 1Password vaults and groups | IAM policies | IAM policies |
+| **External dependency** | Requires 1Password account and CLI | AWS-native (no extra dependency if already on AWS) | AWS-native (no extra dependency if already on AWS) |
+| **`--account` required** | Yes (1Password account) | Yes (AWS CLI profile) | No (uses default AWS credentials) |
+
 ## Doppler
 
 First, install and configure [the Doppler CLI](https://docs.doppler.com/docs/install-cli).