This is a utility much like the awesome gcp-get-secret from Binx.io. You can wrap it around your application that consumes environment variables containing secrets. By calling aws-get-secret -- [your-cli] [--your-args]
it will call your cli command (server, serverless, etc.) and fill any environment variable that starts with the aws:///
format documented below.
Note: use any libary dealing with secrets with great care. Actions you can take to prevent impact:
- Do not trust me. Pin down your dependencies to exact SHA-512 hashes like with npm package-lock and Golang's go.sum.
- Do not trust any other module (node, etc) you install: vet them & pin them.
- Install upgrades only after careful review & again pin your dependencies.
- Rotate your secrets frequently, to make it something you do with ease.
- Seriously, pin your dependencies.
If you miss functionality, feel free to fork the repository & optionally send Pull Requests to contribute back.
First, set some environment variables that define where to get the secret:
export FIRST_SECRET=aws:///arn:aws:secretsmanager:eu-central-1:1234567:secret:First-ABCDEF
export OTHER_SECRET=aws:///arn:aws:secretsmanager:eu-central-1:1234567:secret:Other-ABCDEF
You can define query parameters on the aws:///
uri just like with binxio/gcp-get-secret:
default
to set a default value if there is no valuetemplate
to pick values from a JSON secret or to wrap the value with other datadestination
andchmod
to write to a file instead of using the environment
Then wrap your executable with this tool:
# quick example:
./aws-get-secret sh -c 'echo Something $SECRET;'
# NodeJS server:
./aws-get-secret node dist/server.js
# Python server server:
./aws-get-secret python3 server.py
Call this tool as a Lambda extension script (wrapperscript) to preload secret manager secrets to environment variables.
To use this wrapper script, create a Layer including the go binary of this repository.
Then include the binary in another layer and invoke it by setting AWS_LAMBDA_EXEC_WRAPPER=/opt/aws-get-secret
on your lambda.
Alternatively, you can use the NodeJS CDK-compatible package which does this for you.
npm i aws-get-secret-lambda
Then wrap your Lambda like this (if you're using CDK):
import { wrapLambdasWithSecrets } from "aws-get-secret-lambda"
export class SomeStack extends Stack {
constructor(scope: Construct) {
super(scope, 'SomeStack');
wrapLambdasWithSecrets(this.getAllFunctions());
}
}
- https://github.com/aws-samples/aws-lambda-environmental-variables-from-aws-secrets-manager
- https://dev.to/aws-builders/getting-the-most-of-aws-lambda-free-compute-wrapper-scripts-3h4b
- https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper
- https://github.com/binxio/gcp-get-secret
- https://www.hermanbanken.nl/2022/03/31/aws-get-secret/