Stores Configuration

The stores section in atmos.yaml configures external key-value stores that can be used to share data between components using the !store YAML function and hooks.

Configuration

atmos.yaml

stores:
  # AWS SSM Parameter Store
  prod/ssm:
    backend: aws/ssm
    config:
      region: us-east-1

  # AWS Secrets Manager
  prod/secrets:
    backend: aws/secretsmanager
    config:
      region: us-east-1

  # Azure Key Vault
  prod/azure:
    backend: azure/keyvault
    config:
      vault_name: my-keyvault

  # Google Secret Manager
  prod/gcp:
    backend: gcp/secretmanager
    config:
      project_id: my-project

  # Redis
  cache:
    backend: redis
    config:
      host: localhost
      port: 6379

  # Artifactory
  artifacts:
    backend: artifactory
    config:
      url: https://artifactory.example.com

Store Name Convention

Store names follow the pattern <environment>/<type> by convention:

• prod/ssm - Production SSM Parameter Store
• dev/secrets - Development Secrets Manager
• shared/config - Shared configuration store

You can reference stores in stack configuration using the !store function:

vars:
  database_password: !store prod/secrets::database/password
  api_key: !store prod/ssm::/app/api-key

Supported Backends

aws/ssm

AWS Systems Manager Parameter Store. Stores and retrieves parameters from SSM.

aws/secretsmanager

AWS Secrets Manager. Stores and retrieves secrets with automatic rotation support.

azure/keyvault

Azure Key Vault. Stores and retrieves secrets from Azure.

gcp/secretmanager

Google Cloud Secret Manager. Stores and retrieves secrets from GCP.

redis

Redis key-value store. Useful for caching and temporary data.

artifactory

JFrog Artifactory. Stores and retrieves artifacts and metadata.

Backend Configuration

AWS SSM Parameter Store

atmos.yaml

stores:
  prod/ssm:
    backend: aws/ssm
    config:
      region: us-east-1
      # Optional: assume role for cross-account access
      role_arn: arn:aws:iam::123456789012:role/SSMReader

AWS Secrets Manager

atmos.yaml

stores:
  prod/secrets:
    backend: aws/secretsmanager
    config:
      region: us-east-1
      # Optional: version stage (AWSCURRENT, AWSPREVIOUS, or custom)
      version_stage: AWSCURRENT

Azure Key Vault

atmos.yaml

stores:
  prod/azure:
    backend: azure/keyvault
    config:
      vault_name: my-keyvault
      # Optional: specific tenant ID
      tenant_id: 12345678-1234-1234-1234-123456789012

Google Secret Manager

atmos.yaml

stores:
  prod/gcp:
    backend: gcp/secretmanager
    config:
      project_id: my-project

Redis

atmos.yaml

stores:
  cache:
    backend: redis
    config:
      host: localhost
      port: 6379
      # Optional: authentication
      password: ${REDIS_PASSWORD}
      db: 0

Using Stores in Hooks

You can write values to stores using hooks:

components:
  terraform:
    vpc:
      hooks:
        store-outputs:
          events:
            - after-terraform-apply
          command: store
          name: prod/ssm
          outputs:
            - vpc_id
            - subnet_ids

This writes Terraform outputs to the configured store after apply completes.

Related

• External Stores - Using !store function in stacks
• Hooks - Writing to stores with hooks
• Terraform State - Alternative data sharing method