AWS SSM Config Store

@purista/aws-config-store uses AWS Systems Manager Parameter Store as the config backend. It is the natural choice for AWS-native stacks: values are versioned, changes are audited in CloudTrail, and access is controlled with IAM policies — no extra secrets management needed.

Capabilities

Install

npm install @purista/aws-config-store

Setup

import { AWSConfigStore } from '@purista/aws-config-store'

const configStore = new AWSConfigStore({
  config: {
    client: {
      region: process.env.AWS_REGION ?? 'us-east-1',
    },
  },
  enableSet: true,
  enableRemove: true,
})

const myService = await myV1Service.getInstance(eventBridge, { configStore })

Authentication uses the standard AWS credential chain — IAM roles, environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), or EC2/ECS/EKS instance profiles all work without any extra configuration.

Usage inside a handler

.setCommandFunction(async function (context, payload) {
  const { apiBaseUrl } = await context.configs.getConfig('apiBaseUrl')

  await context.configs.setConfig('featureFlags', JSON.stringify({ newCheckout: true }))
})

IAM policy

Minimum permissions for read-only access:

{
  "Effect": "Allow",
  "Action": [
    "ssm:GetParameter",
    "ssm:GetParameters"
  ],
  "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/myapp/*"
}

Add ssm:PutParameter and ssm:DeleteParameter only to services that need to write.

Operational tips

• Use a path prefix per service and environment (/myapp/prod/user-service/) to scope IAM policies precisely
• Prefer SecureString type with KMS for values that are sensitive but still configuration (not secrets — those belong in Secrets Manager)
• SSM Parameter Store has API rate limits; use the GetParameters batch call (which the store adapter does automatically) to stay within limits
• Changes to parameters are visible in CloudTrail — useful for compliance and debugging

Related

• Config Store overview
• Default Config Store
• Redis Config Store
• NATS Config Store