0

I need to write a lambda function which makes an API call (to Airflow) using credentials stored in AWS SSM parameter store. I have been supplied with the key id for the credentials.

How can I securely query the credentials and integrate them (again securely) into the API call?

Is this on the right track:

Import boto3

key_supplied = 'the key I was supplied with'
client = boto3.client('ssm')

def lambda_handler(event, context):
     parameter = 
client.get_parameter(Name='key_supplied', WithDecryption=True)
print(parameter)
return parameter ['Parameter']['Value']
Sanchez333
  • 318
  • 3
  • 11

1 Answers1

2

I usually have a simple function in such lambda functions:

def get_ssm_param(param: str) -> str:
    session = boto3.session.Session()
    ssm = session.client("ssm")
    return ssm.get_parameter(param, WithDecryption=True)['Parameter']['Value']

Then it can be used as

def lambda_handler(event, context):
    secure_param = get_ssm_param("secure_param_key")
    ...
ljmc
  • 4,830
  • 2
  • 7
  • 26
  • Thanks a lot for this. How can I then supply the params securely in the API call - would I need to put it in the header? I just want to make sure I'm being as secure as possible. – Sanchez333 Jan 16 '23 at 08:04
  • What do you mean supply securely to the API call ? I mostly use this for DB passwords and the like, which I pass templated into f-strings, or as keyword parameters. If your API expects a secret in one of those fields, you don’t need to do anything yourself, just pass the value. – ljmc Jan 16 '23 at 09:16
  • Yes so sms should provide me with credentials required by the API. So if I supply the returned value in the header of the API call, will that be secure enough? – Sanchez333 Jan 16 '23 at 12:54
  • 1
    If this is what your API expects, then yes, otherwise it's just about ensuring you don't do things like logging that variable. – ljmc Jan 16 '23 at 17:04