aws ssm get-parameter rsa key output to file
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
AWS Systems Manager Parameter Store is a convenient place to keep small secrets such as an RSA private key. The usual pattern is to store the key as a SecureString, retrieve it with aws ssm get-parameter, and write the decrypted value to a file only for the process that needs it.
The command is simple, but a few details matter: preserving line breaks, using decryption, and locking down file permissions. If any of those are missed, the resulting key file may be unreadable or unnecessarily exposed.
Basic Command
If the parameter already contains the PEM text with real newline characters, this is the most direct command:
This works because:
- '
--with-decryptionis required forSecureString.' - '
--query 'Parameter.Value'extracts only the secret value.' - '
--output textprints the value without JSON formatting.' - Shell redirection writes the output to a file.
After that, id_rsa can be used by ssh, git, or deployment tooling.
Storing the Key Correctly
The best results come from storing the PEM content exactly as it should appear on disk:
If you paste the key into Parameter Store with real line breaks, the retrieval command above usually produces the right file immediately.
To verify the result:
If ssh-keygen succeeds, the file format is valid.
Handling Escaped Newlines
Sometimes teams store the key as one line with escaped newline sequences such as \n. In that case, plain redirection writes the backslash characters literally, which breaks the PEM file.
For that storage style, decode the escapes before writing:
That transforms the escaped newlines into real line breaks.
If you control the stored value, it is usually cleaner to fix the parameter instead of decoding on every retrieval.
A Safer Automation Pattern
For CI or deployment jobs, keep the key file ephemeral and remove it after use:
This keeps the private key out of a long-lived filename and cleans it up automatically.
Windows and PowerShell Notes
On Windows, redirection can introduce encoding or newline surprises depending on the shell. In PowerShell, a safer pattern is:
Then restrict file permissions using the Windows tools or the environment rules your organization follows.
IAM and KMS Permissions
The command will fail unless the caller can both read the parameter and decrypt the KMS key used for the SecureString. In practice that usually means:
- '
ssm:GetParameter' - '
kms:Decrypt'
If the parameter is referenced by path, some teams also allow ssm:GetParameters or ssm:GetParametersByPath for grouped secrets.
Common Pitfalls
The most common mistake is forgetting --with-decryption. The command still returns data, but not the usable plaintext value.
Another common issue is storing the PEM with escaped \n sequences and then assuming --output text will repair the format. It will not. Either store real newlines or decode the escapes explicitly.
Permissions are also easy to overlook. OpenSSH rejects private keys that are too permissive, so run chmod 600 after writing the file on Unix-like systems.
Finally, avoid printing the key in logs for debugging. A command such as cat id_rsa is convenient, but in CI it can leak the secret into build history. Validate the file with tools such as ssh-keygen instead.
Summary
- Use
aws ssm get-parameter --with-decryption --query 'Parameter.Value' --output textto retrieve the key value. - Writing to a file works best when the parameter stores the PEM with real line breaks.
- If the value contains escaped
\n, decode it before saving. - Lock down permissions with
chmod 600and clean up temporary key files after use. - Make sure the caller has both
ssm:GetParameterandkms:Decrypt.

