IMPORTANT NOTE: As pointed out in the AWS documentation for storing sensible the Ciphertext should be stored in the environment variables. This tutorial doesn't go into that yet, but we will update it soon accordingly.
This example demonstrates how to store secrets like API keys encrypted in your repository while providing them as environment variables to your AWS Lambda functions.
- Provide secrets like API keys to your Lambda functions
While repository hosting services like Github or Bitbucket have very high security standards it's recommended to not store your unencrypted secrets there. In addition in larger teams not everybody needs to have access to those secrets of your production environment.
Encrypting your secrets per stage and only adding the encrypted files into your repository is a sensible strategy to fulfill the previously described goals. The passwords to decrypt and encrypt the secrets files should only be shared between the necessary developers over a secure channel. In case you are using a Continuous Integration to deploy your infrastructure obviously this system must be aware of the passwords as well.
Since this plugin uses the Serverless plugin serverless-secrets-plugin you need to setup the node_modules by running:
npm installIn order to deploy the you endpoint simply run
serverless deploy --stage devThe expected result should be similar to:
Error --------------------------------------------------
Couldn't find the secrets file for this stage: secrets.dev.yml
For debugging logs, run again after setting SLS_DEBUG env var.
Get Support --------------------------------------------
Docs: docs.serverless.com
Bugs: github.com/serverless/serverless/issues
Please report this error. We think it might be a bug.
Your Environment Information -----------------------------
OS: darwin
Node Version: 6.2.2
Serverless Version: 1.2.0This is happening since the serverless-secrets-plugin makes sure a secrets file for the specific stage exists.
Let's decrypt the secrets file so you can deploy the service. To do so run
serverless decrypt --stage dev --password 'va$27dC}9382G7ac6?V'The expected result should be similar to:
Serverless: Sucessfully encrypted 'secrets.dev.yml.encrypted' to 'secrets.dev.yml'Now that you have the unencrypted version of your secrets file this directory you can deploy with
serverless deploy --stage devIn case you want to add, update or remove entries in your secrets file simply modify your secrets file. Once you are done encrypt it with
serverless encrypt --stage dev --password 'va$27dC}9382G7ac6?V'The expected result should be:
Serverless: Sucessfully encrypted 'secrets.dev.yml' to 'secrets.dev.yml.encrypted'The encrypted file can be checked into your version control system e.g. Git.
serverless decrypt --stage prod --password 'v2]83WDneGt9AGXv]X6QfP9NW3^J&K3V'serverless encrypt --stage prod --password 'v2]83WDneGt9AGXv]X6QfP9NW3^J&K3V'Make sure the the unencrypted secrets files are listed in .gitignore or similar to make sure they are never checked into your repository.