Using

cloud-aws

: • What is the best way to get a secret into a

RouteHandler

? • Is there authentication for

API

?

I’d have to dig a bit on the question about auth with

cloud.API

, but I can share a couple of options for the other question about using a secret value from within a route handler. If you wanted to manage the secret with Pulumi alone (i.e., with

pulumi config set mySecret someValue --secret

), you could do that, import the secret into your program with

pulumi.Config

, and just reference the value from within your Lambda function handler:

const config = new pulumi.Config();
const mySecret = config.requireSecret("mySecret");

const api = new cloud.API("my-api");

api.get("/hello", (req, res) => {

    // Reference the secret as a string.
    console.log(mySecret);

    res.json({ message: "Hi, world!" });
});

The drawback to this approach, though, would be that the secret value would end up serialized as a plain-text string in the body of the Lambda function, which would work, but wouldn’t be ideal, as the secret value would be viewable by anyone with access to the AWS Console. You could go a step further by using Pulumi to declare an

aws.secretsmanager.SecretVersion

as well, using that secret value, and then fetch the AWS-managed secret from within the body of the function using the AWS SDK. This would keep the value of the secret out of the code, but you’d have to be careful not to expose it accidentally in logs, etc. I’ve got an example of this approach here: https://github.com/thepulumibook/examples/blob/21040fbe7b4bd2a2038567aa6195c0c41b287ead/chapter4/health-checker-with-secrets-manager/index.ts#L8-L21

That's really helpful, thank you @miniature-musician-31262