AWS Parameter Store

The parameter store is painful to navigate in the AWS console. AWS has provided us with the CLI, but these commands may be just as opaque. I’ve written a few helper functions.

I’m assuming you are using hierarchical parameters (as one should), have installed both the AWS CLI and the jq utility, and in fact have access to the parameter store.

In my .profile on my Mac, I source bin/functions wherein I define several functions for my environment. You might source this file from .bashrc, depending on your platform. To source the file, start your command with a period, a space, and the path to your file, e.g., . bin/functions. I suppose you could define these functions directly in .profile, but I like to keep that file as clean as possible.

function aws-set-profile() {
export AWS_PROFILE=$1
export TF_VAR_turbot_account_id=$1

function aws-ssm-list() {
[ -z $1 ] || path="${path}/${1}";
[ -z $2 ] || path="${path}/${2}";
aws ssm get-parameters-by-path --recursive --with-decryption --path "${path}" --query "Parameters[*].{Name:Name,Value:Value}" | jq --raw-output '.[]| [.Name, .Value] | join(": ")'


I work with a number of AWS accounts and use named profiles to switch between each account. You can set up a named profile using the command aws configure --profile <name> (without the angled brackets). I then set my environment to use one of these profiles by calling the above function aws-set-profile <name>. The TF_VAR_turbot_account_id variable is for use with terraform; if you do not know, this may not apply to you.


The aws-ssm-list function wraps a call to the CLI to return a refined set of information, i.e., each parameter name and decrypted value. The function as written assumes parameters are defined using the construct of /service/environment/parameter, and your call would look like aws-ssm-list <service> <env>. For example, if you want all of the parameters for the widget service in your dev environment, your call would be aws-ssm-list widget dev. If you are using a different construct, you will need to modify this function accordingly.

The --recursive flag tells the CLI to return all parameters within the hierarchy of the path you are inspecting.

The --with-decryption flag tells the CLI to decrypt all encyrpted parameters.

the --path flag defines the hierarchy to inspect. All parameters below this hierarchy will be returned.

The --query flag tells the CLI which attributes to return for each parameter. In this case, we are returning the Name and Value attributes.

The format of my result set is:

/enterprise/widget/foo: bar
/enterprise/widget/fizz: buzz