Simple AWS SSM Secrets Manager CLI Securely manage your AWS SSM Parameters — authenticate once via your OS keyring and easily list, get, write, or delete secrets.
- 🔐 Secure local credential storage using native OS keyrings
(via
keyring-node, powered bykeyring-rs) - 🧩 List / get / put / delete SSM parameters
- 🧠 Output formatting as
.envor JSON - 🪄 Works with AWS SSM Parameter Store, recursive listing included
- 🧰 Both CLI and programmatic API available
Install globally (recommended):
npm install -g @sidebase/ssm-secretsOr use via npx:
npx ssm-secrets --package @sidebase/ssm-secretsssm-secrets <command> [options]Run ssm-secrets --help or ssm-secrets <command> --help for details.
Store AWS credentials in your system keyring.
ssm-secrets authYou’ll be prompted for:
AWS Region: (default: eu-central-1)
AWS Access Key ID:
AWS Secret Access Key:
These are securely saved using your OS’s secret store:
- Linux: Secret Service / GNOME Keyring / KWallet
- macOS: Keychain Access
- Windows: Credential Manager
List all parameters under a given SSM path.
ssm-secrets list <path> [--format <env|json>]ssm-secrets list my/service
ssm-secrets list my/service --format envOutput formats:
json(default) → structured object ({"PARAM": "value"})env→ shell-style lines suitable forsource(PARAM='value')
Retrieve one parameter by path and name.
ssm-secrets get <path> <name>Example:
ssm-secrets get my/service DB_PASSWORDOutputs full JSON metadata from SSM.
Add or update a parameter in SSM.
ssm-secrets put <path> <name> <value>Aliases:
ssm-secrets write ...
ssm-secrets set ...Example:
ssm-secrets put my/service DB_PASSWORD supersecretDisplays when successful:
✅ Parameter stored with version 3
Remove a parameter from SSM.
ssm-secrets delete <path> <name>Example:
ssm-secrets delete my/service DB_PASSWORDOutputs:
✅ Parameter deleted
You can also use the API directly in Node.js:
import { listParameters, getParameter, putParameter, deleteParameter } from '@sidebase/ssm-secrets'
const secrets = await listParameters('my/service')
console.log(secrets)
await putParameter('my/service', 'DB_PASSWORD', 'supersecret')All functions automatically use the credentials stored via ssm-secrets auth.
The CLI supports exporting secrets in .env-compatible format:
ssm-secrets list my/app --format env > .envYou can then source them in a shell:
export $(cat .env | xargs)or directly
source <(ssm-secrets list my/app --format env)Credentials are stored securely in the system keyring via keyring-node:
| Platform | Backend used |
|---|---|
| Linux | Secret Service (works with GNOME Keyring / KWallet) |
| macOS | macOS Keychain |
| Windows | Credential Manager |
Nothing sensitive is stored in plaintext.
ssm-secrets auth
ssm-secrets put my/app DB_USER myuser
ssm-secrets put my/app DB_PASS mypassword
ssm-secrets list my/app --format envOutput:
DB_USER='myuser'
DB_PASS='mypassword'
MIT