How To Store Your AWS Lambda Secrets

Do it right, so you don’t have to redo it when your application load increases

Timothy Jones
Better Programming

Don’t tell anyone your secrets. Do tell people how to store secrets. (Photo by Kristina Flour on Unsplash)

Most Lambda deployments use environment variables to pass configuration to the deployed function. It’s the recommendation that AWS makes in the documentation, and it’s an attractive choice because it’s easy, encrypted at rest, and allows for flexibility in how you get the values there in the first place.

There are many articles with good recommendations about lambda configurations already. Why should you read this one?

Instead of comparing and contrasting approaches, this is a how-to guide for anyone whose primary values are minimising cost without compromising scalability or security. If you have additional or different needs, I recommend reading the links above as well.

This guide is aimed at small to medium teams working in contexts where security matters, but fine-grained permission management might not.

Just tell me the answer

If you’re here from Google and just want a recommendation, feel free to skip to the end for the summary. If you want the detailed rationale behind the recommendation, read on.

Secrets in Environment Variables

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Responses (3)

What are your thoughts?

Hey Timothy,
Thanks for taking the time to do this write up. One thing that can help get around the getting a parameter one at a time slow response time is to get all parameters at a path at application bootstrap. For instance using boto you can call…...

--

Hi Timothy, thanks for sharing the write up. We, at Sentry, are working on helping developers identify performance challenges with Lambda functions. I will love your feedback?

--

Hi Timothy,
I was thinking about trying sops(https://github.com/mozilla/sops) with KMS, but it still remains in my pipeline of things to do before going to production, would be great to hear what you think of it before I dive straight into this, for…...

--

Recommended from Medium

Lists

See more recommendations