Skip to content

Add documentation for AWS SSM Parameter Store secrets adapter #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
davafons wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add documentation for AWS SSM Parameter Store secrets adapter #196

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion docs/commands/secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,29 @@ kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>

**Note:** The `--account` option should be set to your AWS CLI profile name, which is typically `default`. Ensure that your AWS CLI is configured with the necessary permissions to access AWS Secrets Manager.

## AWS SSM Parameter Store

First, install and configure [the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

Use the adapter `aws_ssm_parameter_store`:

```bash
# Fetch passwords
kamal secrets fetch --adapter aws_ssm_parameter_store --account default REGISTRY_PASSWORD DB_PASSWORD

# Fetch passwords from an item
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section labels --from /myapp as fetching "from an item", but the other examples imply --from is a path/prefix in Parameter Store. Consider renaming this heading/text to "from a path/prefix" (or similar) so readers don’t confuse it with an item-based vault model.

Suggested change
# Fetch passwords from an item
# Fetch passwords from a path/prefix

Copilot uses AI. Check for mistakes.
kamal secrets fetch --adapter aws_ssm_parameter_store --account default --from /myapp REGISTRY_PASSWORD DB_PASSWORD

# Fetch passwords from multiple items
kamal secrets fetch --adapter aws_ssm_parameter_store --account default myapp/REGISTRY_PASSWORD myapp/DB_PASSWORD

# Extract the secret
kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extract example uses MyItem/REGISTRY_PASSWORD, but the rest of the SSM section uses /myapp/myapp paths and never introduces what MyItem represents for Parameter Store. Align the extract examples with the same naming convention used in the fetch examples to avoid confusion.

Suggested change
kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
kamal secrets extract myapp/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>

Copilot uses AI. Check for mistakes.
```

**Note:** The `--account` option should be set to your AWS CLI profile name, which is typically `default`. Ensure that your AWS CLI is configured with the necessary permissions to access AWS SSM Parameter Store.

## Doppler

First, install and configure [the Doppler CLI](https://docs.doppler.com/docs/install-cli).
Expand Down Expand Up @@ -246,4 +269,4 @@ kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
kamal secrets extract DB_PASSWORD <SECRETS-FETCH-OUTPUT>
```

The passbolt adapter does not use the `--account` option, if given it will be ignored.
The passbolt adapter does not use the `--account` option, if given it will be ignored.
Loading