aws-get-secret-lambda

aws-get-secret

This is a utility much like the awesome gcp-get-secret from Binx.io. You can wrap it around your application that consumes environment variables containing secrets. By calling aws-get-secret -- [your-cli] [--your-args] it will call your cli command (server, serverless, etc.) and fill any environment variable that starts with the aws:/// format documented below.

Note: use any libary dealing with secrets with great care. Actions you can take to prevent impact:

• Do not trust me. Pin down your dependencies to exact SHA-512 hashes like with npm package-lock and Golang's go.sum.
• Do not trust any other module (node, etc) you install: vet them & pin them.
• Install upgrades only after careful review & again pin your dependencies.
• Rotate your secrets frequently, to make it something you do with ease.
• Seriously, pin your dependencies.

Forks welcome

If you miss functionality, feel free to fork the repository & optionally send Pull Requests to contribute back.

Usage

First, set some environment variables that define where to get the secret:

export FIRST_SECRET=aws:///arn:aws:secretsmanager:eu-central-1:1234567:secret:First-ABCDEF
export OTHER_SECRET=aws:///arn:aws:secretsmanager:eu-central-1:1234567:secret:Other-ABCDEF

You can define query parameters on the aws:/// uri just like with binxio/gcp-get-secret:

• default to set a default value if there is no value
• template to pick values from a JSON secret or to wrap the value with other data
• destination and chmod to write to a file instead of using the environment

Then wrap your executable with this tool:

# quick example:
./aws-get-secret sh -c 'echo Something $SECRET;'

# NodeJS server:
./aws-get-secret node dist/server.js

# Python server server:
./aws-get-secret python3 server.py

AWS Lambda

Call this tool as a Lambda extension script (wrapperscript) to preload secret manager secrets to environment variables.

To use this wrapper script, create a Layer including the go binary of this repository. Then include the binary in another layer and invoke it by setting AWS_LAMBDA_EXEC_WRAPPER=/opt/aws-get-secret on your lambda. Alternatively, you can use the NodeJS CDK-compatible package which does this for you.

npm i aws-get-secret-lambda

Then wrap your Lambda like this (if you're using CDK):

import { wrapLambdasWithSecrets } from "aws-get-secret-lambda"

export class SomeStack extends Stack {
  constructor(scope: Construct) {
    super(scope, 'SomeStack');

    wrapLambdasWithSecrets(this.getAllFunctions());
  }
}

Refs

• https://github.com/aws-samples/aws-lambda-environmental-variables-from-aws-secrets-manager
• https://dev.to/aws-builders/getting-the-most-of-aws-lambda-free-compute-wrapper-scripts-3h4b
• https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper
• https://github.com/binxio/gcp-get-secret
• https://www.hermanbanken.nl/2022/03/31/aws-get-secret/