# External Values
In addition to setting internal parameter values directly within CloudTruth, parameters can be created with external values referencing CloudTruth's external [integration sources](/configuration-management/integrations.md). External values can be used as [overrides](/configuration-management/parameters/parameter-management/managing-parameters.md) in any CloudTruth environment, and parameters can contain a mix of external and internal values.
First, set up CloudTruth integrations from your desired source.
| Integration | Source Setup |
| ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| Azure | [Azure Key Vault](/configuration-management/integrations/azure-key-vault.md) (AKV) |
| AWS | [S3](/configuration-management/integrations/aws/s3.md) |
| AWS | [Parameter Store](/configuration-management/integrations/aws/parameter-store-ssm.md) (SSM) |
| AWS | [S](/configuration-management/integrations/aws/secrets-manager.md)[ecrets Manger](/configuration-management/integrations/aws/secrets-manager.md) |
| GitHub | [Repositories](/configuration-management/integrations/github.md) |
When creating or editing a parameter value, select the `External` value type.
You are now presented with an external value screen for setting integration source values. The *Location* window will display your configured integration sources. In the example below we have both an AWS and GitHub integration.
Depending on the source integration you will set an external value by selecting a key or querying a file for a key stored in your integration source file. We use the [JMESPath query language](https://jmespath.org/).
| **Integration** | **Source** | **External Selection** | **Type** |
| --------------- | ------------------------------------------------------------------------------------ | ---------------------- | -------------------------------- |
| AWS | [S3](/configuration-management/integrations/aws/s3.md) | JMESPath Query | file |
| AWS | [Parameter Store](/configuration-management/integrations/aws/parameter-store-ssm.md) | Key Selection | String; StringList; SecureString |
| AWS | [Secrets Manger](/configuration-management/integrations/aws/secrets-manager.md) | Key Selection | AWS secrets |
| GitHub | [Repositories](/configuration-management/integrations/github.md) | JMESPath Query | file |
**Key Selection**
This example uses SSM to select a key `TF_VAR_availability_zone_names` which sets the CloudTruth value to `["us-west-2a", "us-west-2b"]`.
#### **JMESPath File queries**
For integrations like AWS S3 and GitHub we use a [JMESPath selector](https://jmespath.org/) to query for a specific key from a supported file type to reference the external value. The following file types are supported:
* JSON
* XML
* YAML
* dotenv
* tfstate
The following example uses a JMESpath selector `timeout` to set the externally referenced value of `500` from the JSON content in the integration into to our CloudTruth parameter. You can test your reference by clicking "See Value" in order to display the contents of the Referenced Value. If the JMESPath selector does not return a valid result, error details will be displayed.
#### JMESPath with XML
XML with or without node attributes can be searched with JMESPath, however the expression can be a bit tricky. Consider the following simple XML content:
```
Natural
dean
castiel
```
A JMESPath query for `Data.Super` would give you the value `Natural`.
A JMESPath query for ``Data.Project.Parameter[?"@name"==`rowena`]."#text" | [0]`` would give you the value `castiel`. Let's break that down:
1. `Data.Project` inspects each "Project", creating an array.
2. ``Parameter[?"@name"==`rowena`]`` searches the array for a Parameter entry with a `name` attribute set to `rowena`.
3. `"#text"` extracts the textual content of that node.
4. `| [0]` takes the resulting array matches (from step 1), filtered by step 2 and returns the first one. Without this, the result is `['castiel']`.
### Secrets with External values
When referencing values from AWS Secrets Manager or Secure Strings from SSM the CloudTruth parameter must be [marked as a secret](/configuration-management/parameters/parameter-management/managing-parameters.md#edit-parameter-settings) in order to reference the secret value. If the CloudTruth Parameter is not marked as a secret the values will be locked.
Since AWS Secrets manager values are always secure, secrets manager is locked at the top level.
AWS Parameter store will intelligently only lock Secure String values.
### Refreshing External Values
Each time you use the integration explorer from the parameter edit panel, CloudTruth will read the content and store the value to satisfy configuration queries. You can also refresh all of the values CloudTruth is handling through an integration by visiting the Actions menu and selecting Import. Each integration has a mapped import action you can trigger from there to refresh all of the mapped external values for that integration.
In the future we plan to offer ways to keep the values synchronized automatically by watching the integration for changes through events and updating the values.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.cloudtruth.com/configuration-management/parameters/parameter-management/external-values.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.