1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Dynamic secrets
  5. aws-parameter-store

aws-parameter-store

    The aws-parameter-store provider enables you to dynamically import parameters from AWS Systems Manager - Parameter Store into your Environment. The provider will return a map of names to parameters.

    Example

    aws:
      login:
        fn::open::aws-login:
          oidc:
            roleArn: arn:aws:iam::123456789:role/esc-oidc
            sessionName: pulumi-environments-session
      params:
        fn::open::aws-parameter-store:
          region: us-west-1
          login: ${aws.login}
          get:
            myKey:
              name: /myNamespace/myKey
            myKeyByVersion:
              name: /myNamespace/myKey:1
            myKeyByVersionLabel:
              name: /myNamespace/myKey:stable
            secureKey:
              name: /myNamespace/secureKey
              decrypt: true
            myList:
              name: /myNamespace/myList
    

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • esc open <org>/<project>/<environment> command of the Pulumi ESC CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
      "aws": {
        "login": {
          "accessKeyId": "ASIA....",
          "secretAccessKey": "mWdm....",
          "sessionToken": "Fwo...."
        },
        "params": {
          "myKey": "latest value",
          "myKeyByVersion": "old value",
          "myKeyByVersionLabel": "stable value",
          "secureKey": "secret value",
          "myList": [
            "value 1",
            "value 2"
          ]
        }
      }
    }
    

    Inputs

    PropertyTypeDescription
    regionstringThe AWS region to use.
    loginAWSParameterStoreLoginCredentials to use to log in to AWS.
    getmap[string]AWSParameterStoreGetA map from names to parameters to read from AWS Parameter Store. The outputs will map each name to the parameters’s data.

    AWSParameterStoreLogin

    PropertyTypeDescription
    accessKeyIdstringThe AWS access key ID
    secretAccessKeystringThe AWS secret access key
    sessionTokenstring[Optional] - The AWS session token, if any.

    AWSParameterStoreGet

    PropertyTypeDescription
    namestringThe name of the parameter to import. To query by parameter label, use "name": "name:label". To query by parameter version, use "name": "name:version".
    decryptboolean[Optional] - Whether to decrypt the value. Only affects values of type SecureString.

    Outputs

    PropertyTypeDescription
    N/AobjectA map of names to imported parameters.
      PulumiUP 2024. Watch On Demand.