Skip to main content

Stores Configuration

The stores section in atmos.yaml configures external key-value stores that can be used to share data between components using the !store YAML function and hooks.

Configuration

atmos.yaml

stores:
  # AWS SSM Parameter Store
  prod/ssm:
    type: aws-ssm-parameter-store
    options:
      region: us-east-1

  # Azure Key Vault
  prod/azure:
    type: azure-key-vault
    options:
      vault_url: "https://my-keyvault.vault.azure.net/"

  # Google Secret Manager
  prod/gcp:
    type: google-secret-manager
    options:
      project_id: my-project

  # Redis
  cache:
    type: redis
    options:
      url: "redis://localhost:6379"

  # Artifactory
  artifacts:
    type: artifactory
    options:
      url: https://artifactory.example.com
      repo_name: my-repo

Store Name Convention

Store names follow the pattern <environment>/<type> by convention:

  • prod/ssm - Production SSM Parameter Store
  • dev/secrets - Development Secrets Manager
  • shared/config - Shared configuration store

You can reference stores in stack configuration using the !store function:

vars:
  database_password: !store prod/secrets::database/password
  api_key: !store prod/ssm::/app/api-key

Supported Store Types

aws-ssm-parameter-store
AWS Systems Manager Parameter Store. Stores and retrieves parameters from SSM.
azure-key-vault
Azure Key Vault. Stores and retrieves secrets from Azure.
google-secret-manager (or gsm)
Google Cloud Secret Manager. Stores and retrieves secrets from GCP.
redis
Redis key-value store. Useful for caching and temporary data.
artifactory
JFrog Artifactory. Stores and retrieves artifacts and metadata.

Store Type Configuration

AWS SSM Parameter Store

atmos.yaml

stores:
  prod/ssm:
    type: aws-ssm-parameter-store
    options:
      region: us-east-1
      # Optional
      prefix: myapp
      stack_delimiter: "/"
      # Optional: assume role for cross-account access
      read_role_arn: arn:aws:iam::123456789012:role/SSMReader
      write_role_arn: arn:aws:iam::123456789012:role/SSMWriter

Azure Key Vault

atmos.yaml

stores:
  prod/azure:
    type: azure-key-vault
    options:
      vault_url: "https://my-keyvault.vault.azure.net/"
      # Optional
      prefix: myapp
      stack_delimiter: "-"

Authentication uses the Azure Default Credential chain, which checks environment variables, managed identity, Azure CLI, and other sources.

Google Secret Manager

atmos.yaml

stores:
  prod/gcp:
    type: google-secret-manager  # or "gsm"
    options:
      project_id: my-project
      # Optional
      prefix: myapp
      stack_delimiter: "_"
      # Optional: JSON credentials (or use GOOGLE_APPLICATION_CREDENTIALS env var)
      credentials: '{"type":"service_account",...}'
      # Optional: replication locations
      locations:
        - us-east1
        - us-west1

Redis

atmos.yaml

stores:
  cache:
    type: redis
    options:
      url: "redis://localhost:6379"  # or use ATMOS_REDIS_URL env var
      # Optional
      prefix: myapp
      stack_delimiter: "/"

The url option supports Redis URL format including authentication: redis://:password@host:port/db

Artifactory

atmos.yaml

stores:
  artifacts:
    type: artifactory
    options:
      url: https://artifactory.example.com
      repo_name: my-repo
      # Optional: access token (or use ARTIFACTORY_ACCESS_TOKEN env var)
      access_token: "..."
      # Optional
      prefix: myapp
      stack_delimiter: "/"

Using Stores in Hooks

You can write values to stores using hooks:

components:
  terraform:
    vpc:
      hooks:
        store-outputs:
          events:
            - after-terraform-apply
          command: store
          name: prod/ssm
          outputs:
            - vpc_id
            - subnet_ids

This writes Terraform outputs to the configured store after apply completes.