Hi Sabir Mustafa, thanks for reading. If you are using the default KMS key for encryption, then when you put the parameter to AWS SSM parameter store, your command would look like this:
$ ~/demo/kms-ssm-decrypt (venv) ❯ aws ssm put-parameter --name “/demo/secret/parameter” --value “thisIsASecret” --type SecureString --description “This is a secret parameter”
Notice that we don’t pass --key-id
argument to the command.
The Python script would stay the same, because the SSM parameter has the information about which key that was used to encrypt it and so, when you call decryption on it, it knows which key to use.