# Parameter Store (SSM)

This AWS integration allows you to configure CloudTruth External Parameters from your AWS Parameter Store.

## Adding Integrations

{% hint style="info" %}
If you already have a CloudTruth AWS integration you can add AWS SSM by editing the existing account, selecting this integration and adding the [SSM inline policy](#ssm-parameter-store-inline-policy). The [Terraform](/configuration-management/integrations/aws/setup-aws-role.md#use-terraform-to-give-cloudtruth-access) and [CloudFormation](/configuration-management/integrations/aws/setup-aws-role.md#use-cloudformation-to-give-cloudtruth-access) role setup methods automatically create the SSM inline policy.
{% endhint %}

To create a new or additional AWS account click `Add AWS Account` from the Integrations AWS page to bring up the add account pane. Add a name for the AWS account, your specific AWS account ID and the AWS account role name. CloudTruth allows you to select regions where your resources exist, all US regions are enabled by default.

The SSM Parameter store integration supports [CloudTruth push actions](/configuration-management/actions/push-actions.md#push-action). To enable Push Actions select `Write Access` for the integration and apply the [write access inline policy for SSM](#ssm-parameter-store-inline-policy).

Check the SSM Parameter Store integration and click `Save`.

![](/files/JmqXhogzRqKojH3aKRPi)

The AWS account will enter an Integration Error state until the AWS role is configured. An auto generated **External Id** will be created to use in the [AWS Role Creation](/configuration-management/integrations/aws/setup-aws-role.md).

![](/files/5VXmQR1RcGRtCv9Q47z8)

#### Configuring the AWS Role

With the provided **External ID** create your AWS Role.

{% content-ref url="/pages/-MWATLnEfo1hmkQ4RC3m" %}
[AWS Role](/configuration-management/integrations/aws/setup-aws-role.md)
{% endcontent-ref %}

## SSM Parameter Store Inline Policy

Adding an Inline Policy to the AWS Role allows CloudTruth secure access to the selected integration service. The inline policy is automatically created if you used [CloudFormation](/configuration-management/integrations/aws/setup-aws-role.md#use-cloudformation-to-give-cloudtruth-access) or [Terraform](/configuration-management/integrations/aws/setup-aws-role.md#use-terraform-to-give-cloudtruth-access) to create the role.

From the [AWS IAM Console](https://console.aws.amazon.com/iam/home) select the role that you created for CloudTruth access.

![](/files/HsRbyHok5GZ3rybpqrYp)

Click `Add Inline Policy`.

![](/files/Qx6aR2hlUe0wkqkuXYux)

Click the `JSON` Tab.

![](/files/4eBX1kKs9aurLuzPAFcg)

Paste in the following JSON for the SSM Parameter Store integration policy and click `Review Policy`.

#### External Parameter Policy

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ParameterAccess",
            "Action": [
                "ssm:DescribeParameters",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

#### Write Access Parameter Policy for [Push Actions](/configuration-management/actions/push-actions.md#push-action)

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ParameterAccess",
            "Action": [
                "ssm:AddTagsToResource",
                "ssm:DeleteParameter",
                "ssm:DescribeParameters",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListTagsForResource",
                "ssm:PutParameter",
                "ssm:RemoveTagsFromResource",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

Type in a name for the policy and click `Create Policy`.

![](/files/sxElxUQuSec2Ax1o6N7t)

{% hint style="success" %}
:clap:Setup is now complete for both the AWS Role and Policy. After refreshing by clicking "Check Integration Status" the CloudTruth integration will now show as "Connected", and you can begin creating [External Parameter values](https://app.gitbook.com/@cloudtruth/s/staging/~/drafts/-MVXd5xAL1NKUBwPEBhY/configuration-management/parameters/using-dynamic-values/@drafts) that reference your AWS resources.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudtruth.com/configuration-management/integrations/aws/parameter-store-ssm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.