This message was deleted.
# generals
sparse-intern-71089
04/23/2019, 7:55 PMThis message was deleted.
w
white-balloon-205
04/23/2019, 8:21 PM
Currently any values captured by code that is transformed into a lambda are just serialized into the text of the lambda.
Once https://github.com/pulumi/pulumi/issues/397 is complete, we will be able to improve this to understand when the value we are serializing is a secret, and in that case can use Lambda environment variables to pass the data. This is a planned work item as follow up to the above.
For now, if you do need these secrets to be passed in environment variables instead of serialized to text, you will want to manually pass in via
environmentd
dazzling-scientist-80826
04/23/2019, 8:27 PMgotcha - thanks for the info
dazzling-scientist-80826
04/23/2019, 8:27 PMalso had a chat w/ an aws security expert about my particular use case and it seems like assume-role can be used here w/o actually introducing any secrets
w
white-balloon-205
04/23/2019, 8:30 PM
Even better.
Also, another generally good pattern here is to use Secrets Manager or Parameter Store to store your secrets and then retrieve them at runtime within your lambda, using IAM as the means to constrain access to the secrets. This circumvents the need to pass the secrets themselves through Pulumi at all.
p
proud-artist-4864
05/01/2019, 8:29 AMAgreed on using AWS Parameter Store and IAM, its how we deal with HTTPS certs and the access can be restricted based on assumed roles and key matching
proud-artist-4864
05/01/2019, 8:30 AMThis is the policy we use. It probablyt should be made more strict by using a string match to the prefix of the key instead of just StringLike:
{
“Version”: “2012-10-17",
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ssm:GetParameter”
],
“Resource”: “*”,
“Condition”: {
“StringLike”: {
“ssmresourceTag/Environment” [
“prod”
]
}
}
}
]
}
35 Views