AWS
SSM
Get-Parameter
RSA Key
Output to File

aws ssm get-parameter rsa key output to file

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

AWS Systems Manager Parameter Store is a convenient place to keep small secrets such as an RSA private key. The usual pattern is to store the key as a SecureString, retrieve it with aws ssm get-parameter, and write the decrypted value to a file only for the process that needs it.

The command is simple, but a few details matter: preserving line breaks, using decryption, and locking down file permissions. If any of those are missed, the resulting key file may be unreadable or unnecessarily exposed.

Basic Command

If the parameter already contains the PEM text with real newline characters, this is the most direct command:

bash
1aws ssm get-parameter \
2  --name "/prod/deploy/id_rsa" \
3  --with-decryption \
4  --query 'Parameter.Value' \
5  --output text > id_rsa
6
7chmod 600 id_rsa

This works because:

  • '--with-decryption is required for SecureString.'
  • '--query 'Parameter.Value' extracts only the secret value.'
  • '--output text prints the value without JSON formatting.'
  • Shell redirection writes the output to a file.

After that, id_rsa can be used by ssh, git, or deployment tooling.

Storing the Key Correctly

The best results come from storing the PEM content exactly as it should appear on disk:

text
1-----BEGIN RSA PRIVATE KEY-----
2MIIEpAIBAAKCAQEA...
3...
4-----END RSA PRIVATE KEY-----

If you paste the key into Parameter Store with real line breaks, the retrieval command above usually produces the right file immediately.

To verify the result:

bash
head -n 2 id_rsa
tail -n 2 id_rsa
ssh-keygen -y -f id_rsa >/dev/null

If ssh-keygen succeeds, the file format is valid.

Handling Escaped Newlines

Sometimes teams store the key as one line with escaped newline sequences such as \n. In that case, plain redirection writes the backslash characters literally, which breaks the PEM file.

For that storage style, decode the escapes before writing:

bash
1aws ssm get-parameter \
2  --name "/prod/deploy/id_rsa_escaped" \
3  --with-decryption \
4  --query 'Parameter.Value' \
5  --output text | python3 -c 'import sys; print(sys.stdin.read().encode().decode("unicode_escape"), end="")' > id_rsa
6
7chmod 600 id_rsa

That transforms the escaped newlines into real line breaks.

If you control the stored value, it is usually cleaner to fix the parameter instead of decoding on every retrieval.

A Safer Automation Pattern

For CI or deployment jobs, keep the key file ephemeral and remove it after use:

bash
1set -euo pipefail
2
3tmp_key="$(mktemp)"
4trap 'rm -f "$tmp_key"' EXIT
5
6aws ssm get-parameter \
7  --name "/prod/deploy/id_rsa" \
8  --with-decryption \
9  --query 'Parameter.Value' \
10  --output text > "$tmp_key"
11
12chmod 600 "$tmp_key"
13GIT_SSH_COMMAND="ssh -i $tmp_key -o StrictHostKeyChecking=no" git ls-remote [email protected]:example/private-repo.git

This keeps the private key out of a long-lived filename and cleans it up automatically.

Windows and PowerShell Notes

On Windows, redirection can introduce encoding or newline surprises depending on the shell. In PowerShell, a safer pattern is:

powershell
1$key = aws ssm get-parameter `
2  --name "/prod/deploy/id_rsa" `
3  --with-decryption `
4  --query "Parameter.Value" `
5  --output text
6
7[System.IO.File]::WriteAllText("id_rsa", $key)

Then restrict file permissions using the Windows tools or the environment rules your organization follows.

IAM and KMS Permissions

The command will fail unless the caller can both read the parameter and decrypt the KMS key used for the SecureString. In practice that usually means:

  • 'ssm:GetParameter'
  • 'kms:Decrypt'

If the parameter is referenced by path, some teams also allow ssm:GetParameters or ssm:GetParametersByPath for grouped secrets.

Common Pitfalls

The most common mistake is forgetting --with-decryption. The command still returns data, but not the usable plaintext value.

Another common issue is storing the PEM with escaped \n sequences and then assuming --output text will repair the format. It will not. Either store real newlines or decode the escapes explicitly.

Permissions are also easy to overlook. OpenSSH rejects private keys that are too permissive, so run chmod 600 after writing the file on Unix-like systems.

Finally, avoid printing the key in logs for debugging. A command such as cat id_rsa is convenient, but in CI it can leak the secret into build history. Validate the file with tools such as ssh-keygen instead.

Summary

  • Use aws ssm get-parameter --with-decryption --query 'Parameter.Value' --output text to retrieve the key value.
  • Writing to a file works best when the parameter stores the PEM with real line breaks.
  • If the value contains escaped \n, decode it before saving.
  • Lock down permissions with chmod 600 and clean up temporary key files after use.
  • Make sure the caller has both ssm:GetParameter and kms:Decrypt.

Course illustration
Course illustration

All Rights Reserved.