Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Secrets & config
  5. aws-parameter-store

aws-parameter-store

    The aws-parameter-store provider enables you to dynamically import parameters from AWS Systems Manager - Parameter Store into your Environment. The provider will return a map of names to parameters.

    Example

    values:
      aws:
        login:
          fn::open::aws-login:
            oidc:
              roleArn: arn:aws:iam::123456789:role/esc-oidc
              sessionName: pulumi-environments-session
        params:
          fn::open::aws-parameter-store:
            region: us-west-1
            login: ${aws.login}
            get:
              myKey:
                name: /myNamespace/myKey
              myKeyByVersion:
                name: /myNamespace/myKey:1
              myKeyByVersionLabel:
                name: /myNamespace/myKey:stable
              secureKey:
                name: /myNamespace/secureKey
                decrypt: true
              myList:
                name: /myNamespace/myList
      pulumiConfig:
        myKey: ${aws.params.myKey}
        secureKey: ${aws.params.secureKey}
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • get map[string]AWSParameterStoreGet required
      The parameters to get.
    • decrypt boolean optional
      Whether to decrypt the parameter value.
    • name string required
      The name of the parameter to get. You can include a version number or label after a colon.
    • login AWSLogin required
      The credentials to use to get parameters.
    • accessKeyId string required
      The AWS access key ID.
    • secretAccessKey string required
      The AWS secret access key.
    • sessionToken string optional
      The AWS session token, if any.
    • region string required
      The region in which the parameters are stored.

    Outputs

    A map from names to parameter values.

    Type: map[string]string

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
      "aws": {
        "login": {
          "accessKeyId": "ASIA....",
          "secretAccessKey": "mWdm....",
          "sessionToken": "Fwo...."
        },
        "params": {
          "myKey": "latest value",
          "myKeyByVersion": "old value",
          "myKeyByVersionLabel": "stable value",
          "secureKey": "secret value",
          "myList": [
            "value 1",
            "value 2"
          ]
        }
      }
    }