This Lambda showcases how you can prohibit certain users from seeing or interacting with the environment variables of a Lambda.
Deployment assumes that you use aws cloudformation package
followed by aws cloudformation deploy
. Here's a suggested Makefile for allowing you to type make deploy
. Note that the S3DEPLOYBUCKET and SECRET_PASSWORD
variables need to be changed:
SECRET_PASSWORD ?= pancakes
S3DEPLOYBUCKET = my-s3-bucket
S3PATHPREFIX := cloudformation
AWS_DEFAULT_REGION ?= eu-west-1
package = aws cloudformation package \
--template-file cloudformation.yaml \
--output-template-file dist/cloudformation.dist.yaml \
--s3-bucket $(S3DEPLOYBUCKET) \
--s3-prefix $(S3PATHPREFIX)
deploy = aws cloudformation deploy --template-file dist/cloudformation.dist.yaml \
--stack-name kms-env-vars-test \
--region $(AWS_DEFAULT_REGION) \
--parameter-overrides \
SECRETPASSWORD=$(SECRET_PASSWORD) \
--capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
--s3-bucket $(S3DEPLOYBUCKET) \
--s3-prefix $(S3PATHPREFIX) \
deploy:
@echo "Resetting dist directory"
@rm -rf dist
@mkdir -p dist
@echo "Building deployment package"
@cp index.js dist/index.js
$(call package)
@echo "Deploying CloudFormation"
$(call deploy)
@echo "Cleaning up"
@rm -rf dist
@echo "Done!"