quaint-guitar-13446
04/06/2022, 12:45 AMcloud-aws
:
• What is the best way to get a secret into a RouteHandler
?
• Is there authentication for API
?miniature-musician-31262
04/06/2022, 1:06 AMcloud.API
, but I can share a couple of options for the other question about using a secret value from within a route handler.
If you wanted to manage the secret with Pulumi alone (i.e., with pulumi config set mySecret someValue --secret
), you could do that, import the secret into your program with pulumi.Config
, and just reference the value from within your Lambda function handler:
const config = new pulumi.Config();
const mySecret = config.requireSecret("mySecret");
const api = new cloud.API("my-api");
api.get("/hello", (req, res) => {
// Reference the secret as a string.
console.log(mySecret);
res.json({ message: "Hi, world!" });
});
The drawback to this approach, though, would be that the secret value would end up serialized as a plain-text string in the body of the Lambda function, which would work, but wouldn’t be ideal, as the secret value would be viewable by anyone with access to the AWS Console.
You could go a step further by using Pulumi to declare an aws.secretsmanager.SecretVersion
as well, using that secret value, and then fetch the AWS-managed secret from within the body of the function using the AWS SDK. This would keep the value of the secret out of the code, but you’d have to be careful not to expose it accidentally in logs, etc. I’ve got an example of this approach here: https://github.com/thepulumibook/examples/blob/21040fbe7b4bd2a2038567aa6195c0c41b287ead/chapter4/health-checker-with-secrets-manager/index.ts#L8-L21quaint-guitar-13446
04/06/2022, 1:33 AMcloud.API
I'm not sure how to add the secretsmanager policy so that it can read the secret valuecloud-aws:computerIAMRolePolicyARNs