3

I am using the serverless framework to deploy and program my aws lambda function and since my function is ready for production I need to remove the sensitive keys and decided to use aws systems manager (ssm parameter store) to use these keys in a secure manner, but on deployment, I receive the following error message related to the use of these keys. I thought it might be something related to the Iam Role that I manually associated with the lambda, but I'm not sure what would be off with it.

Error:

Serverless Information ----------------------------------

  ##########################################################################################
  # 47555: 0 of 2 promises have settled
  # 47555: 2 unsettled promises:
  # 47555:   ssm:mg-production-domain~true waited on by: undefined
  # 47555:   ssm:mg-production-api-key~true waited on by: undefined
  # This can result from latent connections but may represent a cyclic variable dependency
  ##########################################################################################

YAML:

provider:
  name: aws
  runtime: nodejs10.x
  stage: dev
  region: us-east-1
  environment:
    MG_PRODUCTION_DOMAIN: ${ssm:mg-production-domain~true}
    MG_PRODUCTION_API_KEY: ${ssm:mg-production-api-key~true}

Here is the Iam Role policy I added to the lambda, but I believe there is probably a better way to do this by adding the Iam Role via the YAML file:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ssm:GetParameters",
            "Resource": "arn:aws:ssm:us-east-1:*account-id*:parameter/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:us-east-1:*account-id*:parameter/*"
        }
    ]
}
cphill
  • 5,596
  • 16
  • 89
  • 182
  • If I understand, you're hoping that serverless will retrieve the parameters at deploy time and inject their values into the Lambda function as environment variables, so the SSM access is being attempted using *your* credentials, not the Lambda function's. But, why aren't you configuring the Lambda function with the *names* of the parameters and then have the Lambda function itself retrieve the secret values at runtime (outside of the function handler so you benefit during a warm start)? – jarmod Oct 01 '19 at 20:02
  • I'm not sure I follow. I was under the assumption that best practice is to set the environment variables within the YAML configuration file and then use `process.env.*ENV_VARIABLE*` to access those values. What is the process you are describing? – cphill Oct 01 '19 at 23:01
  • You can certainly do that and it's probably the norm for non-sensitive parameters but any parameter values that you supply in this way will be visible in your CloudFormation console (to anyone with CF permissions) and, obviously, visible to whoever deploys the serverless project. That's not an ideal way to manage secrets, in my opinion. Instead, you should consider storing them in Parameter Store or Secrets Manager and simply configuring the Lambda function with the parameter names/keys so the values can be retrieved at runtime. Then lock down access to the secrets. – jarmod Oct 01 '19 at 23:14

0 Answers0