what’s the recommended way to inject secrets in to...
# general
what’s the recommended way to inject secrets in to lambda functions produced by pulumi / pulumi-cloud ? aws lambdas can have environment variables encrypted at rest, which seems like i’d want to take advantage to that, but open to alternatives. is there an example of this somewhere?
Currently any values captured by code that is transformed into a lambda are just serialized into the text of the lambda. Once https://github.com/pulumi/pulumi/issues/397 is complete, we will be able to improve this to understand when the value we are serializing is a secret, and in that case can use Lambda environment variables to pass the data. This is a planned work item as follow up to the above. For now, if you do need these secrets to be passed in environment variables instead of serialized to text, you will want to manually pass in via
and the. Pull out from the environment yourself instead of relying just on Pulumi’s setialization. Cc also @bitter-oil-46081 and @lemon-spoon-91807 for fyi.
gotcha - thanks for the info
also had a chat w/ an aws security expert about my particular use case and it seems like assume-role can be used here w/o actually introducing any secrets
Even better. Also, another generally good pattern here is to use Secrets Manager or Parameter Store to store your secrets and then retrieve them at runtime within your lambda, using IAM as the means to constrain access to the secrets. This circumvents the need to pass the secrets themselves through Pulumi at all.
Agreed on using AWS Parameter Store and IAM, its how we deal with HTTPS certs and the access can be restricted based on assumed roles and key matching
This is the policy we use. It probablyt should be made more strict by using a string match to the prefix of the key instead of just StringLike: { “Version”: “2012-10-17", “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ssm:GetParameter” ], “Resource”: “*”, “Condition”: { “StringLike”: { “ssmresourceTag/Environment” [ “prod” ] } } } ] }