5

I am trying to connect to STFP using AWS Lambda which needs a private key file. I am able to connect from local and now I need to deploy it into a Lambda function. But pysftp.connection needs filepath rather than keystring to connect.

Can I package the private file into my Lambda package using YAML file?

import pysftp

ftp = pysftp.Connection(host = hostname , username=user, port=22, private_key='...pem')

Can I store the pem file in AWS SSM and access file while connection to STFP?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Anil
  • 63
  • 1
  • 3

3 Answers3

2

I wouldn't store the file in s3 as the other answer states, this is not good security practice.

Here is a document with an example of how to use SSM secrets with Lambda, I've used this before successfully.

https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/

WarrenG
  • 1,750
  • 12
  • 20
  • 1
    Can't agree with the blanket "not good security practise" regarding S3. Horses for courses: properly locked down, S3 is fine. That said, SSM or at least SecureString in the Parameter Store is likely a better way, I agree with that. – Marakai Apr 14 '19 at 01:03
  • My reasoning is that you're still storing passwords that aren't encrypted at rest, which is not good. It's also likely that more than one person is going to have access to your AWS account, and with all the S3 mistakes people make and open up buckets inadvertently - it's not a good place to store passwords. "Not good security practice" is maybe too strong a phrase though. – WarrenG Apr 14 '19 at 06:50
  • I understand - however I come from a "thou shalt never have an S3 bucket without KMS" approach. Ever. – Marakai Apr 14 '19 at 07:17
  • 1
    i need to give path to file in connection parameters and i can't use ssm as it store string values. Is there a way to load a file to ssm and give its path ? – Anil Apr 15 '19 at 02:40
0

Yes, you could package the .pem file as part of your AWS Lambda function code deployment. This would make it available on the local filesystem.

See: AWS Lambda Deployment Package in Python - AWS Lambda

Alternatively, you could store the .pem file in Amazon S3 and have the AWS Lambda function download it to the /tmp directory before use.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • is there any example i can refer to use a extra file in zip file and access in lambda ? – Anil Apr 15 '19 at 02:41
  • You can either package it with the zip file (see the above link), but it also looks like you can create an additional file in the Lambda Console, in the editor where you write the Lambda code. Just create a New file and save it with a name. A .pem file is just text, so you can paste the contents into the file. – John Rotenstein Apr 15 '19 at 02:55
  • 1
    Thank you all. I was able to connect to sftp from lambda by storing the key data in ssm parameters and created a tmp file during lambda execution for private key and delete it after completion. – Anil Apr 17 '19 at 03:37
  • @JohnRotenstein I have packaged .pem file and deployed, but when trying to ssh from lambda to ec2 instance (with paramiko), I'm getting "Errno 13 permission error" on the file. How would I fix that? – Brooke Apr 17 '19 at 15:04
  • @Anil You'll need to debug it to figure it out. You could start by running the code on your local computer to try and reproduce the error. It might be due to the username or PEM file. Feel free to ask another question if you have difficulties. – John Rotenstein Apr 17 '19 at 21:54
  • @JohnRotenstein Are you refering to Brooke ? As i already fixed my code based on your idea. Thank you – Anil Apr 18 '19 at 02:44
  • Oops! Yes, my comment was for Brooke. – John Rotenstein Apr 18 '19 at 04:10
0

If you need instructions on creating a deployment package you can check out the video below. Instead of using pip to install a package, you can simply replace copy your .pem file in the lambda_function folder. Then follow the rest of the steps.

https://geektopia.tech/post.php?blogpost=Create_Lambda_Package_Python

Joseph
  • 512
  • 2
  • 5