I’m struggling with providing sensitive information like a password or api key to a Lambda:
In the AWS docs it says: When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service.
But they also mention
Storing Sensitive Information
For sensitive information, such as database passwords, we recommend you use client-side encryption using
AWS Key Management Service and store the resulting values as Ciphertext in your environment variable.
You will need to include logic in your Lambda function code to decrypt these values.
So in the end the Lambda function needs a password/key to decrypt the Ciphertext. How do I safely provide the Lambda function with this password/key? How is this safer than just passing in the environment variable as plaintext and then Lambda storing it in KMS?
any ideas?
Resource: http://docs.aws.amazon.com/lambda/latest/dg/env_variables.html
just wow, thx so much for clarifying!