Skip to main content

Stores Configuration

The stores section in atmos.yaml configures external key-value stores that can be used to share data between components using the !store YAML function and hooks.

Configuration

atmos.yaml

stores:
  # AWS SSM Parameter Store
  prod/ssm:
    type: aws-ssm-parameter-store
    options:
      region: us-east-1

  # Azure Key Vault
  prod/azure:
    type: azure-key-vault
    options:
      vault_url: "https://my-keyvault.vault.azure.net/"

  # Google Secret Manager
  prod/gcp:
    type: google-secret-manager
    options:
      project_id: my-project

  # Redis
  cache:
    type: redis
    options:
      url: "redis://localhost:6379"

  # Artifactory
  artifacts:
    type: artifactory
    options:
      url: https://artifactory.example.com
      repo_name: my-repo

Store Name Convention

Store names follow the pattern <environment>/<type> by convention:

  • prod/ssm - Production SSM Parameter Store
  • dev/secrets - Development Secrets Manager
  • shared/config - Shared configuration store

You can reference stores in stack configuration using the !store function:

vars:
  database_password: !store prod/secrets::database/password
  api_key: !store prod/ssm::/app/api-key

Supported Store Types

aws-ssm-parameter-store
AWS Systems Manager Parameter Store. Stores and retrieves parameters from SSM.
azure-key-vault
Azure Key Vault. Stores and retrieves secrets from Azure.
google-secret-manager (or gsm)
Google Cloud Secret Manager. Stores and retrieves secrets from GCP.
redis
Redis key-value store. Useful for caching and temporary data.
artifactory
JFrog Artifactory. Stores and retrieves data as JSON files. Use a Generic repository type.

Store Type Configuration

AWS SSM Parameter Store

atmos.yaml

stores:
  prod/ssm:
    type: aws-ssm-parameter-store
    options:
      region: us-east-1
      # Optional
      prefix: myapp
      stack_delimiter: "/"
      # Optional: assume role for cross-account access
      read_role_arn: arn:aws:iam::123456789012:role/SSMReader
      write_role_arn: arn:aws:iam::123456789012:role/SSMWriter

Azure Key Vault

atmos.yaml

stores:
  prod/azure:
    type: azure-key-vault
    options:
      vault_url: "https://my-keyvault.vault.azure.net/"
      # Optional
      prefix: myapp
      stack_delimiter: "-"

Authentication uses the Azure Default Credential chain, which checks environment variables, managed identity, Azure CLI, and other sources.

Google Secret Manager

atmos.yaml

stores:
  prod/gcp:
    type: google-secret-manager  # or "gsm"
    options:
      project_id: my-project
      # Optional
      prefix: myapp
      stack_delimiter: "_"
      # Optional: JSON credentials (or use GOOGLE_APPLICATION_CREDENTIALS env var)
      credentials: '{"type":"service_account",...}'
      # Optional: replication locations
      locations:
        - us-east1
        - us-west1

Redis

atmos.yaml

stores:
  cache:
    type: redis
    options:
      url: "redis://localhost:6379"  # or use ATMOS_REDIS_URL env var
      # Optional
      prefix: myapp
      stack_delimiter: "/"

The url option supports Redis URL format including authentication: redis://:password@host:port/db

Artifactory

atmos.yaml

stores:
  artifacts:
    type: artifactory
    options:
      url: https://artifactory.example.com
      repo_name: my-repo
      # Access token from environment variable (recommended)
      access_token: !env ARTIFACTORY_ACCESS_TOKEN
      # Optional
      prefix: myapp
      stack_delimiter: "/"

The access_token can be provided directly, via the !env function, or through the ARTIFACTORY_ACCESS_TOKEN environment variable.

JFrog Artifactory Repository Type

When setting up Artifactory as a store backend, create a Generic repository type in JFrog Artifactory. Atmos stores data as JSON files, so no specific package type (Maven, npm, Docker, etc.) is required. The repository can be local, remote, or virtual.

Using Stores in Hooks

You can write values to stores using hooks:

components:
  terraform:
    vpc:
      hooks:
        store-outputs:
          events:
            - after-terraform-apply
          command: store
          name: prod/ssm
          outputs:
            vpc_id: .vpc_id
            subnet_ids: .private_subnet_ids

This writes Terraform outputs to the configured store after apply completes. The output values starting with . reference Terraform output names.