Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
serverless-env-generator
Advanced tools
A Serverless 1.x plugin to automatically create a .env file during deployment by merging environment variables from one or more YAML files. Variables can be securely encrypted with KMS. Multiple stages and profiles are supported.
This plugin automatically creates a .env file during deployment by merging environment variables from one or more YAML files. During runtime these variables can then be loaded into process.env using dotenv.
For a brief introduction, read our blogpost about introducing serverless-env-generator.
Please note that the uploaded .env file contains secrets in cleartext. Therefore we recommend to use Serverless Crypt for critical secrets. This tool aims to strike a balance between storing secrets in plaintext in Lambda environment variables and having to decrypt them at runtime using KMS.
Furthermore the tool does not support environment variables generated by Serverless. We recommend to set these variables directly in each functions configuration in serverless.yml.
When used with serverless-local-dev-server your environment variables are directly loaded into process.env. No .env file is created to make sure that your local development and deployment tasks do not interfere :-)
This package requires node >= 6.0. Due to the reliance on KMS, encryption is only supported for AWS.
npm install dotenv --save
npm install serverless-env-generator --save-dev
See: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
Please make sure to create the KMS key in the same region as your deployment.
For aliases we recommend to use the service name, for administration privileges no user (your AWS account has full permissions by default) and for usage privileges "serverless-admin" to link access permissions to deployment permissions.
serverless.yml configuration example:
provider:
name: aws
runtime: nodejs6.10
functions:
hello:
handler: handler.hello
# Add serverless-env-generator to your plugins:
plugins:
- serverless-env-generator
# Plugin config goes into custom:
custom:
envFiles: #YAML files used to create .env file
- environment.yml
envEncryptionKeyId: #KMS Key used for encrypting values
development: ${env:AWS_KMS_KEYID} #Key used for development-stage
As the generated .env file contains the secrets in cleartext, make sure that it will never be checked into git!
.gitignore code example:
.env
Command example:
serverless env --attribute name --value "This is not a secret"
serverless env --attribute secret_name --value "This is a secret" --encrypt
Note that the .env file is automatically created when you deploy your function, so you can just load those variables with dotenv 🎉
Code example:
require('dotenv').config() // Load variables from .env file
module.exports.hello = (event, context, callback) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: process.env.secret_name,
input: event
})
}
callback(null, response)
}
Command example:
serverless deploy
serverless invoke -f $FUNCTION_NAME
Result example:
{
"body": "{\"input\": {}, \"message\": \"This is a secret\"}",
"statusCode": 200
}
You can use these commands to modify your YAML environment files.
If no stage is specified the default one as specified in serverless.yml is used.
Use the following commands to read and decrypt variables from your YAML environment files:
serverless env
serverless env --stage $STAGE
serverless env --attribute $NAME
serverless env --attribute $NAME --stage $STAGE
#shorthand:
sls env -a $NAME
sls env -a $NAME -s $STAGE
serverless env --decrypt
serverless env --attribute $NAME --decrypt
serverless env --attribute $NAME --stage $STAGE --decrypt
#shorthand:
sls env -a $NAME --decrypt
sls env -a $NAME -s $STAGE -d
Use the following commands to store and encrypt variables in your YAML environment files:
Note that variables are stored to the first file listed in envFiles.
serverless env --attribute $NAME --value $PLAINTEXT
serverless env --attribute $NAME --value $PLAINTEXT --stage $STAGE
#shorthand:
sls env -a $NAME -v $PLAINTEXT
sls env --a $NAME -v $PLAINTEXT --s $STAGE
serverless env --attribute $NAME --value $PLAINTEXT --encrypt
serverless env --attribute $NAME --value $PLAINTEXT --stage $STAGE --encrypt
#shorthand:
sls env -a $NAME -v $PLAINTEXT -e
sls env -a $NAME -v $PLAINTEXT -s $STAGE -e
Environment variables are stored in stage-agnostic YAML files, which are then merged into a .env file on deployment.
File example:
development: #stage
foo: bar #cleartext variable
bla: crypted:bc89hwnch8hncoaiwjnd... #encrypted variable
production:
foo: baz
bla: crypted:ncibinv0iwokncoiao3d...
You can create additional YAML environment files, for example to include variables that are dynamically generated. Just add them to the envFiles in your serverless.yml.
serverless-plugin-webpack
In case you are also using the serverless-plugin-webpack
there are some caveats:
You have to place serverless-env-generator
before the serverless-plugin-webpack
in the serverless.yml
# serverless.yml
plugins:
- serverless-env-generator
- serverless-plugin-webpack
dotenv-webpack
You need to have the dotenv-webpack
plugin installed:
npm install dotenv-webpack --save-dev
and configured:
// webpack.config.js
const Dotenv = require('dotenv-webpack')
module.exports = {
// ...
plugins: [
// ...
new Dotenv()
]
}
Licensed under the MIT license.
Created and maintained by DieProduktMacher.
Inspired by Serverless Crypt.
FAQs
A Serverless 1.x plugin to automatically create a .env file during deployment by merging environment variables from one or more YAML files. Variables can be securely encrypted with KMS. Multiple stages and profiles are supported.
The npm package serverless-env-generator receives a total of 3 weekly downloads. As such, serverless-env-generator popularity was classified as not popular.
We found that serverless-env-generator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.