Passing a secret value to AWS Lambda

Previously, I wrote about parameterizing an AWS Lambda via an SSM Parameter Store, where we passed non-secret values to a Lambda. However, what if Lambda needs a secret, such as a database password?

Here are some considerations:

  • Within the AWS realm, there are two canonical ways to store secrets: AWS Parameter Store and AWS Secret Manager. AWS Parameter Store is a free key-value store designed for system configuration. AWS Secret Manager is a paid service with more advanced features, such as periodic password rotation.
  • Within CloudFormation realm, there are two canonical modes for passing a value to Lambda: push and pull. In the push mode, an environmental variable is pushed to a Lambda in CloudFormation template, as demonstrated here. In the pull mode, the Lambda fetches the value dynamically at runtime, for example using AWS SDK.
  • Push mode: resolving a secret value within CloudFormation is technically possible via dynamic parameter patterns. However, the secret value would then be exposed in AWS Console for everybody to see. As the post describes, the exposure can be mitigated by encrypting the secret at rest and in transit. (By the way, the official AWS Lambda Developer Guide GitHub uses an environmental variable to pass a secret to Lambda. I'm wondering why that is.)
  • Pull mode: the exposure problem is resolved but you need to write custom boilerplate code to fetch the value. Plus, if you have more lambdas spread across different git repos, one need to live with the duplicated boilerplate or consider a shared library. And a shared library is not a free meal.

Considering the pros and cons, a good starting point seems to be:

  • Store secrets in SSM Parameter Store
  • Use pull mode, that is, resolve the values dynamically within the Lambda
  • If you have multiple lambdas, accept the code duplication.

Further reading:

Thanks to Bram for the discussion

Would you like to connect? Subscribe via email or RSS , or follow me on Twitter!