Product
Go Support Is Now Generally Available
Socket's Go support is now generally available, bringing automatic scanning and deep code analysis to all users with Go projects.
By Peter van der Zee, Ryan Eberhardt - Apr 17, 2025
You're Invited: Meet the Socket team at BSidesSF and RSAC - April 27 - May 1.RSVP →
serverless-secrets-plugin
Advanced tools
serverless-secrets-plugin
A Serverless plugin to help managing credentials in encrypted files
Serverless Credentials Plugin
This is currently in beta! Feedback is very much welcome.
IMPORTANT NOTE: As pointed out in the AWS documentation for storing sensible the Ciphertext should be stored in the environment variables. This tutorial doesn't go into that yet, but we will update it soon accordingly.
Install
npm install --save-dev serverless-secrets-plugin
After that you need to add the plugin to your serverless.yml of you service.
Run the command serverless --help and verify the list of commands contain an encrypt and a decrypt command.
Usage
Create a secrets.{stage}.yml file for each stage e.g. secrets.dev.yml.
Store the keys in there, that you want to keep private e.g.
EMAIL_SERVICE_API_KEY: DEV_API_EXAMPLE_KEY_12
SESSION_KEY: DEV_SESSION_EXAMPLE_KEY_12
You can also provide a path prefix if you like to keep your secrets in a different directory e.g.
custom:
secretsFilePathPrefix: config
Encrypt the secrets file for the desired stage by running
serverless encrypt --stage dev --password '{your super secure password}'
This will result in an encrypted file e.g. secrets.dev.yml.encrypted. You can check the encrypted file into your version control system e.g. Git. It's recommened to add your unencrypted file to .gitignore or similar so you and your colleagues can't check it in by accident.
In your serverless.yaml you can use the file variable syntax to import the secrets and set them as environment variables. When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service. Read more about that in the AWS documentation here.
Whenever you want to deploy there needs to be the unencrypted version of the secrets file available otherwise the plugin will prevent the deployment.
Example
You can check out a full example in the Serverless Examples repository: serverless/examples/aws-node-env-variables-encrypted-in-a-file.
[0.1.0] - 2017-10-16
Added
- Add support for custom secrets files location using the config
secretsFilePathPrefix
Changed
- Use
packagehook instead of legacybefore:deploy - Improved wording of success messages.
- Renamed class for improved error messages.
FAQs
A Serverless plugin to help managing credentials in encrypted files
The npm package serverless-secrets-plugin receives a total of 532 weekly downloads. As such, serverless-secrets-plugin popularity was classified as not popular.
We found that serverless-secrets-plugin demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 16 Oct 2017
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
vlt Launches Real-Time Dependency Analysis Powered by Socket
vlt adds real-time security selectors powered by Socket, enabling developers to query and analyze package risks directly in their dependency graph.
By Sarah Gooding - Apr 17, 2025
Security News
CISA Extends MITRE Contract as Crisis Accelerates Alternative CVE Coordination Efforts
CISA extended MITRE’s CVE contract by 11 months, avoiding a shutdown but leaving long-term governance and coordination issues unresolved.
By Sarah Gooding - Apr 16, 2025