Parameters
The parameters utility provides high-level functions to retrieve one or multiple parameter values from AWS Systems Manager Parameter Store, AWS Secrets Manager, AWS AppConfig, Amazon DynamoDB, or bring your own.
Key features¶
- Retrieve one or multiple parameters from the underlying provider
- Cache parameter values for a given amount of time (defaults to 5 seconds)
- Transform parameter values from JSON or base 64 encoded strings
- Bring Your Own Parameter Store Provider
Getting started¶
By default, we fetch parameters from System Manager Parameter Store, secrets from Secrets Manager, and application configuration from AppConfig.
IAM Permissions¶
This utility requires additional permissions to work as expected.
Note
Different parameter providers require different permissions.
Provider | Function/Method | IAM Permission |
---|---|---|
SSM | get_parameter , SSMProvider.get |
ssm:GetParameter |
SSM | get_parameters , SSMProvider.get_multiple |
ssm:GetParametersByPath |
SSM | get_parameters_by_name , SSMProvider.get_parameters_by_name |
ssm:GetParameter and ssm:GetParameters |
SSM | If using decrypt=True |
You must add an additional permission kms:Decrypt |
Secrets | get_secret , SecretsManager.get |
secretsmanager:GetSecretValue |
DynamoDB | DynamoDBProvider.get |
dynamodb:GetItem |
DynamoDB | DynamoDBProvider.get_multiple |
dynamodb:Query |
AppConfig | get_app_config , AppConfigProvider.get_app_config |
appconfig:GetLatestConfiguration and appconfig:StartConfigurationSession |
Fetching parameters¶
You can retrieve a single parameter using get_parameter
high-level function.
Fetching a single parameter | |
---|---|
1 2 3 4 5 |
|
For multiple parameters, you can use either:
get_parameters
to recursively fetch all parameters by path.get_parameters_by_name
to fetch distinct parameters by their full name. It also accepts custom caching, transform, decrypt per parameter.
1 2 3 4 5 6 7 8 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
get_parameters_by_name
supports graceful error handling
By default, we will raise GetParameterError
when any parameter fails to be fetched. You can override it by setting raise_on_error=False
.
When disabled, we take the following actions:
- Add failed parameter name in the
_errors
key, e.g.,{_errors: ["/param1", "/param2"]}
- Keep only successful parameter names and their values in the response
- Raise
GetParameterError
if any of your parameters is named_errors
Graceful error handling | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Fetching secrets¶
You can fetch secrets stored in Secrets Manager using get_secrets
.
Fetching secrets | |
---|---|
1 2 3 4 5 |
|
Fetching app configurations¶
You can fetch application configurations in AWS AppConfig using get_app_config
.
The following will retrieve the latest version and store it in the cache.
Fetching latest config from AppConfig | |
---|---|
1 2 3 4 5 |
|
Advanced¶
Adjusting cache TTL¶
Tip
max_age
parameter is also available in high level functions like get_parameter
, get_secret
, etc.
By default, we cache parameters retrieved in-memory for 5 seconds.
You can adjust how long we should keep values in cache by using the param max_age
, when using get()
or get_multiple()
methods across all providers.
Caching parameter(s) value in memory for longer than 5 seconds | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
Always fetching the latest¶
If you'd like to always ensure you fetch the latest parameter from the store regardless if already available in cache, use force_fetch
param.
Forcefully fetching the latest parameter whether TTL has expired or not | |
---|---|
1 2 3 4 5 |
|
Built-in provider class¶
For greater flexibility such as configuring the underlying SDK client used by built-in providers, you can use their respective Provider Classes directly.
Tip
This can be used to retrieve values from other regions, change the retry behavior, etc.
SSMProvider¶
Example with SSMProvider for further extensibility | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
The AWS Systems Manager Parameter Store provider supports two additional arguments for the get()
and get_multiple()
methods:
Parameter | Default | Description |
---|---|---|
decrypt | False |
Will automatically decrypt the parameter. |
recursive | True |
For get_multiple() only, will fetch all parameter values recursively based on a path prefix. |
Example with get() and get_multiple() | |
---|---|
1 2 3 4 5 6 7 8 |
|
SecretsProvider¶
Example with SecretsProvider for further extensibility | |
---|---|
1 2 3 4 5 6 7 8 9 |
|
DynamoDBProvider¶
The DynamoDB Provider does not have any high-level functions, as it needs to know the name of the DynamoDB table containing the parameters.
DynamoDB table structure for single parameters
For single parameters, you must use id
as the partition key for that table.
Example
DynamoDB table with id
partition key and value
as attribute
id | value |
---|---|
my-parameter | my-value |
With this table, dynamodb_provider.get("my-param")
will return my-value
.
1 2 3 4 5 6 7 |
|
You can initialize the DynamoDB provider pointing to DynamoDB Local using endpoint_url
parameter:
1 2 3 |
|
DynamoDB table structure for multiple values parameters
You can retrieve multiple parameters sharing the same id
by having a sort key named sk
.
Example
DynamoDB table with id
primary key, sk
as sort keyand
value` as attribute
id | sk | value |
---|---|---|
my-hash-key | param-a | my-value-a |
my-hash-key | param-b | my-value-b |
my-hash-key | param-c | my-value-c |
With this table, dynamodb_provider.get_multiple("my-hash-key")
will return a dictionary response in the shape of sk:value
.
1 2 3 4 5 6 7 8 9 10 11 12 |
|
1 2 3 4 5 |
|
Customizing DynamoDBProvider
DynamoDB provider can be customized at initialization to match your table structure:
Parameter | Mandatory | Default | Description |
---|---|---|---|
table_name | Yes | (N/A) | Name of the DynamoDB table containing the parameter values. |
key_attr | No | id |
Hash key for the DynamoDB table. |
sort_attr | No | sk |
Range key for the DynamoDB table. You don't need to set this if you don't use the get_multiple() method. |
value_attr | No | value |
Name of the attribute containing the parameter value. |
Customizing DynamoDBProvider to suit your table design | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 |
|
AppConfigProvider¶
Using AppConfigProvider | |
---|---|
1 2 3 4 5 6 7 8 9 |
|
Create your own provider¶
You can create your own custom parameter store provider by inheriting the BaseProvider
class, and implementing both _get()
and _get_multiple()
methods to retrieve a single, or multiple parameters from your custom store.
All transformation and caching logic is handled by the get()
and get_multiple()
methods from the base provider class.
Here is an example implementation using S3 as a custom parameter store:
Creating a S3 Provider to fetch parameters | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
|
Deserializing values with transform parameter¶
For parameters stored in JSON or Base64 format, you can use the transform
argument for deserialization.
Info
The transform
argument is available across all providers, including the high level functions.
1 2 3 4 |
|
1 2 3 4 5 6 7 8 9 10 |
|
Partial transform failures with get_multiple()
¶
If you use transform
with get_multiple()
, you can have a single malformed parameter value. To prevent failing the entire request, the method will return a None
value for the parameters that failed to transform.
You can override this by setting the raise_on_transform_error
argument to True
. If you do so, a single transform error will raise a TransformParameterError
exception.
For example, if you have three parameters, /param/a, /param/b and /param/c, but /param/c is malformed:
Raising TransformParameterError at first malformed parameter | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
Auto-transform values on suffix¶
If you use transform
with get_multiple()
, you might want to retrieve and transform parameters encoded in different formats.
You can do this with a single request by using transform="auto"
. This will instruct any Parameter to to infer its type based on the suffix and transform it accordingly.
Info
transform="auto"
feature is available across all providers, including the high level functions.
Deserializing parameter values based on their suffix | |
---|---|
1 2 3 4 5 6 |
|
For example, if you have two parameters with the following suffixes .json
and .binary
:
Parameter name | Parameter value |
---|---|
/param/a.json | [some encoded value] |
/param/a.binary | [some encoded value] |
The return of ssm_provider.get_multiple("/param", transform="auto")
call will be a dictionary like:
1 2 3 4 |
|
Passing additional SDK arguments¶
You can use arbitrary keyword arguments to pass it directly to the underlying SDK method.
1 2 3 4 5 6 7 |
|
Here is the mapping between this utility's functions and methods and the underlying SDK:
Provider | Function/Method | Client name | Function name |
---|---|---|---|
SSM Parameter Store | get_parameter |
ssm |
get_parameter |
SSM Parameter Store | get_parameters |
ssm |
get_parameters_by_path |
SSM Parameter Store | SSMProvider.get |
ssm |
get_parameter |
SSM Parameter Store | SSMProvider.get_multiple |
ssm |
get_parameters_by_path |
Secrets Manager | get_secret |
secretsmanager |
get_secret_value |
Secrets Manager | SecretsManager.get |
secretsmanager |
get_secret_value |
DynamoDB | DynamoDBProvider.get |
dynamodb |
(Table resource) |
DynamoDB | DynamoDBProvider.get_multiple |
dynamodb |
(Table resource) |
App Config | get_app_config |
appconfig |
get_configuration |
Bring your own boto client¶
You can use boto3_client
parameter via any of the available Provider Classes. Some providers expect a low level boto3 client while others expect a high level boto3 client, here is the mapping for each of them:
Provider | Type | Boto client construction |
---|---|---|
SSMProvider | low level | boto3.client("ssm") |
SecretsProvider | low level | boto3.client("secrets") |
AppConfigProvider | low level | boto3.client("appconfig") |
DynamoDBProvider | high level | boto3.resource("dynamodb") |
Bringing them together in a single code snippet would look like this:
Example: passing a custom boto3 client for each provider | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
When is this useful?
Injecting a custom boto3 client can make unit/snapshot testing easier, including SDK customizations.
Customizing boto configuration¶
The config
, boto3_session
, and boto3_client
parameters enable you to pass in a custom botocore config object , boto3 session, or a boto3 client when constructing any of the built-in provider classes.
Tip
You can use a custom session for retrieving parameters cross-account/region and for snapshot testing.
When using VPC private endpoints, you can pass a custom client altogether. It's also useful for testing when injecting fake instances.
1 2 3 4 5 6 7 8 9 10 |
|
1 2 3 4 5 6 7 8 9 10 |
|
1 2 3 4 5 6 7 8 9 10 |
|
Testing your code¶
Mocking parameter values¶
For unit testing your applications, you can mock the calls to the parameters utility to avoid calling AWS APIs. This can be achieved in a number of ways - in this example, we use the pytest monkeypatch fixture to patch the parameters.get_parameter
method:
1 2 3 4 5 6 7 8 9 10 |
|
1 2 3 4 5 6 |
|
If we need to use this pattern across multiple tests, we can avoid repetition by refactoring to use our own pytest fixture:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
Alternatively, if we need more fully featured mocking (for example checking the arguments passed to get_parameter
), we
can use unittest.mock from the python stdlib instead of pytest's monkeypatch
fixture. In this example, we use the
patch decorator to replace the aws_lambda_powertools.utilities.parameters.get_parameter
function with a MagicMock
object named get_parameter_mock
.
1 2 3 4 5 6 7 8 9 10 11 |
|
Clearing cache¶
Parameters utility caches all parameter values for performance and cost reasons. However, this can have unintended interference in tests using the same parameter name.
Within your tests, you can use clear_cache
method available in every provider. When using multiple providers or higher level functions like get_parameter
, use clear_caches
standalone function to clear cache globally.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
|
1 2 3 4 5 6 7 8 9 |
|