Skip to content

Instantly share code, notes, and snippets.

@nikgraf

nikgraf/question.md

Last active April 17, 2019 22:24
Show Gist options
  • Save nikgraf/ef25181cf5f2bf85e9dd94184ec5446a to your computer and use it in GitHub Desktop.
Save nikgraf/ef25181cf5f2bf85e9dd94184ec5446a to your computer and use it in GitHub Desktop.
Download ZIP
Providing sensitive information to a Lambda
Raw
question.md

I’m struggling with providing sensitive information like a password or api key to a Lambda:

In the AWS docs it says: When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service.

But they also mention

Storing Sensitive Information

For sensitive information, such as database passwords, we recommend you use client-side encryption using
AWS Key Management Service and store the resulting values as Ciphertext in your environment variable.
You will need to include logic in your Lambda function code to decrypt these values.

So in the end the Lambda function needs a password/key to decrypt the Ciphertext. How do I safely provide the Lambda function with this password/key? How is this safer than just passing in the environment variable as plaintext and then Lambda storing it in KMS?

any ideas?

Resource: http://docs.aws.amazon.com/lambda/latest/dg/env_variables.html

@dror-g
Copy link

dror-g commented Apr 17, 2019

Thanks Ryan, that's a very clear and concise explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment