Using `cloud-aws` : - What is the best way to get ...
# aws
: • What is the best way to get a secret into a
? • Is there authentication for
I’d have to dig a bit on the question about auth with
, but I can share a couple of options for the other question about using a secret value from within a route handler. If you wanted to manage the secret with Pulumi alone (i.e., with
pulumi config set mySecret someValue --secret
), you could do that, import the secret into your program with
, and just reference the value from within your Lambda function handler:
Copy code
const config = new pulumi.Config();
const mySecret = config.requireSecret("mySecret");

const api = new cloud.API("my-api");

api.get("/hello", (req, res) => {

    // Reference the secret as a string.

    res.json({ message: "Hi, world!" });
The drawback to this approach, though, would be that the secret value would end up serialized as a plain-text string in the body of the Lambda function, which would work, but wouldn’t be ideal, as the secret value would be viewable by anyone with access to the AWS Console. You could go a step further by using Pulumi to declare an
as well, using that secret value, and then fetch the AWS-managed secret from within the body of the function using the AWS SDK. This would keep the value of the secret out of the code, but you’d have to be careful not to expose it accidentally in logs, etc. I’ve got an example of this approach here:
That's really helpful, thank you @miniature-musician-31262
👍 1
Ok so the lingering issue that I have with your example is that with
I'm not sure how to add the secretsmanager policy so that it can read the secret value
Ok I've got it. I can set the config value
🙌 1