serverless-plugin-kmsvariables

Serverless Plugin KMSVariables

This Plugin adds KMS Support to the Variables of Serverless.

Note: This plugin supports Serverless 0.5.*

Installation

• make sure that aws and serverless are installed
• see http://docs.aws.amazon.com/cli/latest/userguide/installing.html
• see http://www.serverless.com/
• Create a KMS key in your AWS Account
• see http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
• install this plugin to your project
• (adds the plugin to your node_modules folder)

cd projectfolder
npm install serverless-plugin-kmsvariables

• add the plugin to your s-project.json file
• add configuration for KMS to your s-project file

"custom": {
    "kmsVariables": {
      "key_arn": "arn:aws:kms:<region>:<accountid>:key/<keyid>"
    }
},
"plugins": [
    "serverless-plugin-kmsvariables"
]

Run the Plugin

• the plugin uses a hook that is called in turn of the underlying Serverless VariableSet/VariableList actions.
• the plugin uses a hook that is called before functionRun and functionDeploy calls, where the variables are decrypted using KMS.

Example usage

Set a normal variable

serverless variables set -s <stage> -r <region> -t <type> -k <key> -v <value>

Output:

$ serverless variables set -s dev -r us-east-1 -t region -k plaintextVariable -v foo
Serverless: Not encrypting variable  
Serverless: Successfully set variable: plaintextVariable 

Set an encrypted variable

Command:

serverless variables set -s <stage> -r <region> -t <type> -k <key> -v <value> -e

Ouput:

$ serverless variables set -s dev -r us-east-1 -t region -k myPassword -v mySuperSecret -e
Serverless: Calling AWS KMS to encrypt variable  
Serverless: Successfully set variable: myPassword  

List variables (without decryption)

serverless variables list -s <stage> -r <region>

Output:

Serverless: common:  
Serverless: project = ceng-lambda-nsox  
Serverless:     dev:  
Serverless:     stage = dev  
Serverless:     foo-stage = bar1  
Serverless:         us-east-1:  
Serverless:         region = us-east-1  
Serverless:         resourcesStackName = example  
Serverless:         iamRoleArnLambda = arn:aws:iam::<accountid>:role/<rolename> 
Serverless:         plaintextVariable = foo
Serverless:         myPassword = *******

List variables (with decryption)

serverless variables list -s <stage> -r <region> -d

Output:

Serverless: common:  
Serverless: project = ceng-lambda-nsox  
Serverless:     dev:  
Serverless:     stage = dev  
Serverless:     foo-stage = bar1  
Serverless:         us-east-1:  
Serverless:         region = us-east-1  
Serverless:         resourcesStackName = example  
Serverless:         iamRoleArnLambda = arn:aws:iam::<accountid>:role/<rolename>
Serverless:         plaintextVariable = foo
Serverless:         myPassword = mySuperSecret