Question 219645 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How can I store passkeys/tokens in a safe place in AWS to use in other services encrypted?

I have several lambda’s I am working with, and they use some private tokens as part of the execution.

I want to avoid keeping them in the lambda function in plain text, and would rather keep them somehow in an encrypted global variable or some other way AWS is offering for such things?

I’m sure there’s plenty of ways to do so in AWS, but as a beginner+ aws user I would love to hear your feedback what would be safe to use, maintain and access when needed.

Thanks!

Currently my lambda is just storing the pass key in plain text.
I need it to be stored like a global variable and I am not sure where to start.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Thanks for the guidance guys!

    Eventually this is what I did:

    1. Create a token inside the 'AWS Secrets Manager'
    2. Added to my lambda IAM Role a policy to allow "secretsmanager:GetSecretValue" for the specific SECERT using its arn
    3. Added the following code in my lambda to extract the token.
    def get_SM_key():
    secret_name = "SecretNameISavedInSM"
    region_name = "name-of-region"

    # Create a Secrets Manager session
    session = boto3.session.Session()
    client = session.client(
        service_name = 'secretsmanager',
        region_name = 'name-of-region'
    )

    try:
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:         # list of exceptions -> https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
        raise e

    # Decrypts secret using the associated KMS key.
    secret = get_secret_value_response['SecretString']
    return secret

    And it now works :)


  2. 0

    You should use AWS SSM Parameter Store SecureString, or AWS Secrets Manager to store these values. When using Secrets Manager, or when using SSM Parameter Store SecureString, the value will be encrypted using AWS KMS.

    If you want further control over this, you can create a Customer Master Key in AWS KMS, and tell SSM or Secrets Manager to use that key for encryption. Your Lambda function will need the relevant IAM permissions to access the secure parameter/secret, as well as decrypt permissions for the KMS key.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search