Hi Sabir Mustafa, thanks for reading. If you are using the default KMS key for encryption, then when you put the parameter to AWS SSM parameter store, your command would look like this:

$ ~/demo/kms-ssm-decrypt (venv) ❯ aws ssm put-parameter --name “/demo/secret/parameter” --value “thisIsASecret” --type SecureString --description “This is a secret parameter”

Notice that we don’t pass --key-id argument to the command.

The Python script would stay the same, because the SSM parameter has the information about which key that was used to encrypt it and so, when you call decryption on it, it knows which key to use.

Written by

A passionate Software Engineer trying to leave a good legacy on earth

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store