Creating and Using a Custom Document with Parameter Store Variables

45 minutes
  • 6 Learning Objectives

About this Hands-on Lab

Systems Manager documents are an integral part of the Systems Manager service. They are at the heart of all the automation possible through SSM via JSON or YAML runbooks, which define steps to perform on a managed instance. In this lab, we’ll create a document that carries out some tasks on a managed instance and will also use an SSM parameter, which offers scalable, hierarchal storage for configurations and secrets, allowing encryption.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log in to the AWS Management Console and Navigate to Systems Manager
  1. Log in to the AWS Management Console using the credentials provided.
  2. Navigate to the Systems Manager console.
  3. On the left-hand menu, under Application Management, select Parameter Store.
Create SSM Parameter to Use in SSM Document
  1. Click Create parameter.
  2. Provide the parameter the name "mysql-pass". Optionally, provide a description.
  3. Under Tier, select the Standard radio button.
  4. Under Types, select String.
  5. In the value input box below, enter a string value for your parameter.
  6. Leave the Tags field as its default.
  7. Click Create Parameter. This SSM parameter will be referenced in the SSM document provided later.

Note: SSM documents do not allow using secure string passwords. You’ll need an SSM API call to fetch any encrypted parameter, decrypt it, and then pass it as a parameter to an SSM document.

Create SSM Command Document
  1. In the left-hand menu, under Shared Resources, click Documents.
  2. Click Create command or session.
  3. Give your document a name.
  4. Leave the Target type dropdown field blank, which sets its value to /(meaning to target all applicable resources).
    • You can also choose to select the particular resource you’re going to run this document against. In our case, we’ll run it against an EC2 instance; however, we’ll leave the target at its default value.
  5. Set the Document type to Command document.
Enter the Provided SSM Command Document Schema
  1. Under the Content section, choose the radio button for JSON and paste in the SSM Command document schema provided on the lab page.
  2. Leave the Document tags section as its default.
  3. Click Create document.
Execute the SSM Document
  1. Select the Owned by me tab, and click the document you created.
  2. Click Run command to execute your document.
  3. Leave Document version as Default.
  4. For Targets, select Choose instances manually.
  5. Select the listed AmazonLinux-Instance EC2 SSM managed instance.
  6. Uncheck the Enable writing to an S3 bucket option.
  7. Leave everything else as default, and click Run.
  8. After clicking Run, you’ll be taken to the Run Command page to track the progress/status of Run Command executing the document.
Use SSM Session to Connect to the Managed Instance and Verify

Navigate to the Session Manager page, click Start Session, select the AmazonLinux-Instance, and start a shell session with it to verify the document was successfully applied against the instance.

The SSM document in question installs MariaDB database server, starts its service, sets a password, queries the database, and outputs a file with the database names in it to /root/db_output.txt.

sudo cat /root/db_output.txt

If verifying via SSM Session Manager:

You’ll be logged in to the shell session via Session Manager as sudo-enabled user ssm-user.


If the file db_output.txt doesn’t exist or is empty it means that something did not go right. <br/>
In which case check /var/log/amazon/ssm/amazon-ssm-agent.log <br/>

You can become root via sudo su - root or just append sudo before commands for verification.

Additional Resources

You've been tasked with setting up a database server. However, the company wants to keep control of sensitive data, such as any passwords for setting up new database servers.

Use the below SSM Command document schema when creating a new schema, and make sure you create an SSM parameter named mysql-pass:

  "schemaVersion": "2.2",
  "description": "Command Document Example JSON Template",
  "parameters": {
    "Packages": {
      "type": "String",
      "description": "MySQL package",
      "default": "mariadb-server"
    "Password": {
      "type": "String",
      "description": "MySQL Password",
      "default": "{{ ssm:mysql-pass }}"
  "mainSteps": [
      "action": "aws:runShellScript",
      "name": "Install_Configure_MariaDB",
      "inputs": {
        "runCommand": [
          "yum -y install {{ Packages }}",
          "systemctl start mariadb",
          "sleep 5;mysqladmin password {{ Password }};",
          "mysql -uroot -p{{ Password }} -e 'show databases;' > /root/db_output.txt"

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?