This is a simple Python wrapper for getting values from AWS Systems Manager Parameter Store.
The module supports getting a single parameter, multiple parameters or all parameters matching a particular path.
All parameters are returned as a Python dict
.
Install with pip
:
pip install ssm-parameter-store
Import the module and create a new instance of EC2ParameterStore
.
from ssm_parameter_store import EC2ParameterStore
store = EC2ParameterStore()
ssm-parameter-store
uses boto3
under the hood and therefore inherits
the same mechanism for looking up AWS credentials. See configuring
credentials
in the Boto 3 documentation for more information.
EC2ParameterStore
accepts all boto3
client parameters as keyword arguments.
For example:
from ssm_parameter_store import EC2ParameterStore
store = EC2ParameterStore(
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN, # optional
region_name='us-west-2'
)
Given the following parameters:
# set default AWS region
AWS_DEFAULT_REGION=us-west-2
# add parameters
aws ssm put-parameter --name "param1" --value "value1" --type SecureString
aws ssm put-parameter --name "param2" --value "value2" --type SecureString
# add parameters organised by hierarchy
aws ssm put-parameter --name "/dev/app/secret" --value "dev_secret" --type SecureString
aws ssm put-parameter --name "/dev/db/postgres_username" --value "dev_username" --type SecureString
aws ssm put-parameter --name "/dev/db/postgres_password" --value "dev_password" --type SecureString
aws ssm put-parameter --name "/prod/app/secret" --value "prod_secret" --type SecureString
aws ssm put-parameter --name "/prod/db/postgres_username" --value "prod_username" --type SecureString
aws ssm put-parameter --name "/prod/db/postgres_password" --value "prod_password" --type SecureString
parameter = store.get_parameter('param1', decrypt=True)
assert parameter == {
'param1': 'value1'
}
parameters = store.get_parameters(['param1', 'param2'])
assert parameters == {
'param1': 'value1',
'param2': 'value2',
}
parameters = store.get_parameters_by_path('/dev/', recursive=True)
assert parameters == {
'secret': 'dev_secret',
'postgres_username': 'dev_username',
'postgres_password': 'dev_password',
}
By default get_parameters_by_path
strips the path from each parameter name. To return a parameter's full name, set strip_path
to False
.
parameters = store.get_parameters_by_path('/dev/', strip_path=False, recursive=True)
assert parameters == {
'/dev/app/secret': 'dev_secret',
'/dev/db/postgres_username': 'dev_username',
'/dev/db/postgres_password': 'dev_password'
}
You can also get parameters by path, but in a nested structure that models the path hierarchy.
parameters = store.get_parameters_with_hierarchy('/dev/')
assert parameters == {
'app': {
'secret': 'dev_secret',
},
'db': {
'postgres_username': 'dev_username',
'postgres_password': 'dev_password',
},
}
By default get_parameters_with_hierarchy
strips the leading path component. To return the selected parameters
with the full hierarchy, set strip_path
to False
.
parameters = store.get_parameters_with_hierarchy('/dev/', strip_path=False)
assert parameters == {
'dev': {
'app': {
'secret': 'dev_secret',
},
'db': {
'postgres_username': 'dev_username',
'postgres_password': 'dev_password',
},
},
}
The module includes a static method on EC2ParameterStore
to help populate environment variables. This can be helpful when integrating with a library like django-environ
.
Given the following parameters:
aws ssm put-parameter --name "/prod/django/SECRET_KEY" --value "-$y_^@69bm69+z!fawbdf=h_10+zjzfwr8_c=$$&j@-%p$%ct^" --type SecureString
aws ssm put-parameter --name "/prod/django/DATABASE_URL" --value "psql://user:pass@db-prod.xyz123.us-west-2.rds.amazonaws.com:5432/db" --type SecureString
aws ssm put-parameter --name "/prod/django/REDIS_URL" --value "redis://redis-prod.edc1ba.0001.usw2.cache.amazonaws.com:6379" --type SecureString
import environ
from ssm_parameter_store import EC2ParameterStore
env = environ.Env(
DEBUG=(bool, False)
)
# Get parameters and populate os.environ (region not required if AWS_DEFAULT_REGION environment variable set)
parameter_store = EC2ParameterStore(region_name='us-west-2')
django_parameters = parameter_store.get_parameters_by_path('/prod/django/', strip_path=True)
EC2ParameterStore.set_env(django_parameters)
# False if not in os.environ
DEBUG = env('DEBUG')
# Raises django's ImproperlyConfigured exception if SECRET_KEY not in os.environ
SECRET_KEY = env('SECRET_KEY')
DATABASES = {
# read os.environ['DATABASE_URL'] and raises ImproperlyConfigured exception if not found
'default': env.db(),
}
CACHES = {
'default': env.cache('REDIS_URL'),
}
- param-store – Python module to store secrets in secret stores
- ssm-cache – AWS System Manager Parameter Store caching client for Python