2

So,I want to put the secret from the secretmanager here, but it doesn't seem to convert or get the value. Is there anyway to put it here. Other solution would be to put it in the deploy, or to keep it like this, and have code in my function grab this value and then do a look up. I'm leaning to putting it on the deploy as it would save time for lookups.

lambda environment var

Dan Parker
  • 823
  • 1
  • 11
  • 27

1 Answers1

2

You definitely should not put it in the deploy. Doing so will expose its value in the console (or via API calls). You should resolve it in your code. You can grant permissions to your function to get its value so that only the function sees it, not users who can see the function in the console.

Jason Wadsworth
  • 8,059
  • 19
  • 32
  • There are ways to do it in the deploy, I use azure devops, I can put it in there and use azure vault and it will hide the value on deploy console – Dan Parker Feb 06 '20 at 01:33
  • But it will show in the AWS console. I assume what you're showing there is the environment variables. – Jason Wadsworth Feb 06 '20 at 01:45
  • Yes, I don't mind it there, only people with access can see that configuration – Dan Parker Feb 06 '20 at 01:57
  • You're obviously free to do what you want, but that isn't considered safe. The typical process would be to use KMS to encrypt the keys, but if you already have it in secrets manager it's kind of redundant. https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption – Jason Wadsworth Feb 06 '20 at 02:02
  • So if I just pass the arn of the secrets and look it up, that would work. I suppose my functions don't run too quickly to have any issue with performance. I suppose I'll just check the pricing on the lookups per month,that would be the only downside. I see your point on it not considered safe, suppose KMS or this then anyway. Just thought there'd be an easier way like azure has – Dan Parker Feb 06 '20 at 02:28
  • Pricing is $.05 per 10K lookups. What I typically do is look it up on load (cold start) and keep it in memory. If you need to make sure it hasn't changed you can use an expiring cache of some sort. – Jason Wadsworth Feb 06 '20 at 02:30
  • The problem is that lambda is always a cold start, cost isn't that much I suppose. Even if it's 1 million calls it's only $5. – Dan Parker Feb 06 '20 at 17:10
  • @DanParker yea I would call the secretsmanager api from the Lambda. You can also use this - https://github.com/aws/aws-secretsmanager-caching-python . Is your only hesitation the latency from making an api request? – committedandroider Feb 06 '20 at 22:41
  • If lambda is always a cold start then you can look into the provisioned concurrency. In some cases that can actually reduce your cost (because of the reduction of cold starts), but at a minimum it reduces the cold starts with not a lot of extra cost. – Jason Wadsworth Feb 06 '20 at 23:44
  • Even if it's $20 a month, that's nothing compared to the rest of the system and technically more secure, and I can change the value in 1 place and it will change in all the various functions I have. It's better in the long run. – Dan Parker Feb 07 '20 at 05:59
  • Would just be cool, if you could keep a reference to a secret value there like azure. why not make it easier for everyone. – Dan Parker Feb 07 '20 at 06:00