1

I'm creating a Secret in CDK like so:

import * as cdk from "@aws-cdk/core";
import * as lambda from "@aws-cdk/aws-lambda-nodejs";
import * as apiGw from "@aws-cdk/aws-apigateway";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";

export class ObjectCdkStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const secret = new secretsmanager.Secret(this, "MasterSecret");
    const handler = new lambda.NodejsFunction(this, "HelloHandler", {
      entry: "lambda/hello.ts",
      bundling: {
        nodeModules: ["uuid"],
      },
      environment: {
        MASTER_SECRET: secret.secretValue.toString(),
      },
    });

    new apiGw.LambdaRestApi(this, "Endpoint", {
      handler,
    });
    new cdk.CfnOutput(this, "MasterSecretValue", {
      value: secret.secretValue.toString(),
    });
  }
}

And I want to use that secret to make authorized requests to my lambda function. The only solution I could come up with is to put a log in the lambda code and check the AWS logs online to copy the secret. Surely there's another way?

maafk
  • 6,176
  • 5
  • 35
  • 58
yspreen
  • 1,759
  • 2
  • 20
  • 44
  • 1
    Can you clarify what you mean by "make authorized requests to my lambda function"? – maafk Sep 22 '21 at 20:09
  • I want to use it as a secret when posting to that lambda function. The function checks a request parameter against that secret – yspreen Sep 22 '21 at 23:29
  • The Secret will be available in the lambda function using the method shown in the answer. You can also check anything POSTed from API Gateway within the lambda function – maafk Sep 24 '21 at 09:27
  • That's not the question. I want to know the secret on the machine I'm creating the deployment from, so that I can use it when POSTing to the lambda – yspreen Sep 24 '21 at 20:02
  • Use the aws sdk to get the secret value. – gshpychka Sep 28 '21 at 13:52

1 Answers1

1

Rather than pass the secret value to your lambda function as an environment variable, try passing the secret name, and get the secret value from within the lambda using getSecretValue

import * as cdk from "@aws-cdk/core";
import * as lambda from "@aws-cdk/aws-lambda-nodejs";
import * as apiGw from "@aws-cdk/aws-apigateway";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";

export class ObjectCdkStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const secret = new secretsmanager.Secret(this, "MasterSecret");
    const handler = new lambda.NodejsFunction(this, "HelloHandler", {
      entry: "lambda/hello.ts",
      bundling: {
        nodeModules: ["uuid"],
      },
      environment: {
        MASTER_SECRET_NAME: secret.secretName,
      },
    });
    secret.grantRead(handler.role);

    new apiGw.LambdaRestApi(this, "Endpoint", {
      handler,
    });
  }
}

Then somewhere inside lambda/hello.ts

const SECRET_NAME = process.env.MASTER_SECRET_NAME

const params = {
    SecretId: SECRET_NAME, 
};
secretsmanager.getSecretValue(params, function(err, data) {
    if (err) console.log(err, err.stack); // an error occurred
    else     console.log(data);           // successful response
});
maafk
  • 6,176
  • 5
  • 35
  • 58
  • I appreciate the feedback, but as far as I can tell, this improves my code but still doesn't answer the initial question? Logging inside the lambda function already works – yspreen Sep 22 '21 at 13:20