feature: Resolve environment variables with values of the Secrets Manager

Question

feature: Resolve environment variables with values of the Secrets Manager

miztch opened this issue a year ago · comments

Hello, I would like to use some secret values stored in the Secrets Manager as environment variables for my existing Lambda functions.
I intend to use lambroll in new deploy pipeline(simply done with build source on S3 and lambroll runs on CodeBuild). Unless if we do not use AWS Parameters and Secrets Lambda Extension, Terraform state, or anything else, we need to implement the logic to retrieve the secret value by scratch.

For example, in CloudFormation, it can be resolved to the secret value with the following format.

{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}

https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html

It is assumed that it would be difficult to accept this request since you wrote in your blog that lambroll only does processes that can be performed by Lambda API, but I created the issue because it might be some of your inspiration.
(Or if you have any ideas to resolve this situation, I feel really appreciated to hear that!)

Thank you.

FUJIWARA Shunichiro · Answer 1 · Fri Sep 01 2023 23:07:17 GMT+0800 (China Standard Time)

Hi.

I suggest to use handlename/ssmwrap for the workaround.

ssmwrap can look up values in the SSM parameter store and run a specified command with environment variables that are set by these values.

$ ssmwrap --names /path/to/foo -- sh -c 'echo $FOO'
value of foo

And SecretManager's secrets can be read via SSM parameter store with the prefix '/aws/reference/secretsmanager'.

So, by these methods, you can run lambroll with environment variables from SecretsManager.

$ ssmwrap --names /aws/reference/secretsmanager/mysecret -- lambroll ...

function.json

{
  "Environment": {
    "Variables": {
      "MYSECRET": "{{ must_env `MYSECRET` }}"
    }
  },
  // ...
}

But, this solution is complex a little.

I'm planning to introduce ssm template function, the same as ecspresso.
https://github.com/kayac/ecspresso#ssm

FUJIWARA Shunichiro · Answer 2 · Fri Sep 01 2023 23:27:40 GMT+0800 (China Standard Time)

@miztch But, I don't recommend setting secrets into Lambda environment variables directly.

Secrets are exposed as plain text if someone can read the lambda function configuration.

If you try this method, please consider that risk.

miztch · Answer 3 · Sat Sep 02 2023 16:43:36 GMT+0800 (China Standard Time)

Thank you for your immediate reply! I will try the workaround you suggested.

Also, I am already aware of the security risks you pointed out. Thanks for this one as well.
I will also tell my application engineer to eventually modify the code to get it in the function code, as I do not think it is appropriate to include plain text values in environment variables.

miztch · Answer 4 · Mon Oct 23 2023 19:29:39 GMT+0800 (China Standard Time)

Thank you for the other day.

In my project, I found it difficult to retrieve the secret value using ssmwrap because the secret value was not just a value, but a key/value pair. So I solved this issue by implementing a little custom script.

Therefore I am willing to let you close this issue.

Since we are considering managing these secret values with SSM, there may be an opportunity to use the SSM plugin you implemented in #319. Thanks again for listening to my voice 🙏

FUJIWARA Shunichiro · Answer 5 · Wed Feb 14 2024 14:26:35 GMT+0800 (China Standard Time)

Hi!
lambroll v1.0 has an ssm template function. Please try it!

https://github.com/fujiwara/lambroll?tab=readme-ov-file#expand-ssm-parameter-values

miztch · Answer 6 · Thu Feb 22 2024 02:40:10 GMT+0800 (China Standard Time)

Thanks! I'm now installing it for some functions!