DEV Community

Cover image for πŸš€ Secure Your Scripts with AWS SSM Run Command + Parameter Interpolation
Latchu@DevOps
Latchu@DevOps

Posted on

πŸš€ Secure Your Scripts with AWS SSM Run Command + Parameter Interpolation

#aws #devops #news #shell

AWS just released a cool upgrade: you can now inject parameters into environment variables using Systems Manager Run Command. πŸŽ‰

This is a small change with a big impact β€” especially when handling secrets, passwords, or dynamic values inside scripts.

Let me show you how this works with a real example.

πŸ’₯ The Problem

Let’s say you want to run a script on an EC2 instance that takes database credentials. Before this update, you'd pass them as command-line args or embed them into the script β€” 😬 risky!

βœ… What’s New?

Now, with parameter interpolation, you can:

  • Store secrets in SSM Parameter Store
  • Reference them safely in a Run Command
  • Inject them as environment variables into the script

πŸ› οΈ Step-by-Step Example: Secure DB Backup

1️⃣ Your script: backup-db.sh

#!/bin/bash
echo "Starting DB backup..."
echo "Using user: $DB_USER"
/usr/bin/mysqldump -u $DB_USER -p$DB_PASS mydatabase > /tmp/backup.sql
Enter fullscreen mode Exit fullscreen mode

2️⃣ Store your parameters in SSM Parameter Store

Parameter Name Type Value
/myapp/dbuser String admin
/myapp/dbpass SecureString S3cr3tP@ss!

3️⃣ Run the command via SSM (with environment variable interpolation)

Here’s how it looks when you send the command (via the AWS CLI, SDK, or Automation):

{
  "DocumentName": "AWS-RunShellScript",
  "Parameters": {
    "commands": ["./backup-db.sh"],
    "executionTimeout": ["3600"],
    "workingDirectory": ["/home/ec2-user"]
  },
  "EnvironmentVariables": {
    "DB_USER": "{{ssm:/myapp/dbuser}}",
    "DB_PASS": "{{ssm:/myapp/dbpass}}"
  }
}
Enter fullscreen mode Exit fullscreen mode

βœ… This will

  • Fetch the parameter values securely
  • Set them as DB_USER and DB_PASS
  • Run the script with zero hardcoded secrets

πŸ” Why This Is Awesome

  • No more passing secrets on the CLI
  • Scripts stay reusable and secret-free
  • Parameters are pulled securely at runtime
  • Helps prevent command injection

⚑ Bonus: Use in PowerShell Too!

Just name your variables like ENV_VAR_NAME, and reference them in PowerShell as $env:ENV_VAR_NAME.

πŸ”š Final Thoughts

This is a subtle but powerful improvement for anyone using SSM Run Command for automation, patching, deployment, or compliance.

Less risk. More control. Cleaner scripts.

Let me know how you plan to use this! πŸ’¬

Top comments (0)