tim-finnigan
commented
1 year ago Hi @Nanovox thanks for the feature request. I think your use case should be added to this related issue: https://github.com/aws/aws-cli/issues/5982. We can continue using https://github.com/aws/aws-cli/issues/5982 to track the request going forward.
Also for reading SSM parameters specifically you might consider using Secrets Manager as documented here: https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html
github-actions[bot]
Describe the feature
Add the ability to read the new value for a parameter store key from a file or pipe without exposing its contents within command line arguments.
Use Case
When working with SSM Parameter Store keys using the AWS CLI, the
put-parametercommand takes a value using the--valueparameter. On most operating systems, that command line argument has at least partial if not global exposure to other users on the system (e.g. within/procinformation, while inspecting running processes).Ideally, when working with secure strings in parameter store, you don't want anyone without proper access to see the value of that key, even if they are accessing the system where that key value originates.
Proposed Solution
Adjust the
put-parametercommand to accept a value from one or more of: file on the system, pipe from another process, non-printed standard input. For example:aws ssm put-parameter ... --value-from-file /path/to/key_value.txtaws ssm put-parameter ... < cat /path/to/piped_key_value.txtOther Information
No response
Acknowledgements
CLI version used
2.11.2
Environment details (OS name and version, etc.)
macos / linux