This tool retrieves secrets from AWS Secrets Manager resources given as environment variables and defines them as environment variables to the program executed as argument.
The secrets are expected to be prefixed with SECRET_ and to contain a valid ARN of a secretmanager resource, such as SECRET_FOO="arn:aws:secretsmanager:us-west-2:123456789012:secret:myapikey.
The tool then creates environment variables FOO=secret_value, where secret_valueis the value stored in the SECRET_FOO secretmanager secret.
The tool then runs the program given as command line argument with the resolved secrets defined as such environment variables.
It is meant to be used from Lambda functions that use Docker images, which lack the ability to resolve secrets from ARNs.
-
Set up your Lambda function with environment variables in the format
SECRET_FOO=arn:aws:secretsmanager:region:account-id:secret:secret-name. -
Add the binary to your Lambda function using our prebuilt Docker image:
cristim/resolve-aws-secrets:latestor use your own image you can build using the Makefile.COPY --from=cristim/resolve-aws-secrets:latest /resolve-aws-secrets /resolve-aws-secrets
-
Edit the entrypoint configuration of your Lambda function's Docker image:
CMD ["initial-entrypoint", "--arg1", "--arg2"]
to
CMD ["/resolve-aws-secrets", "initial-entrypoint", "--arg1", "--arg2"]
-
The tool will resolve all the secrets named
SECRET_FOO=<arn>intoFOO=secret-value. -
In your Lambda function code, just use the environment variables as
FOO, without theSECRET_prefix.
In case secrets get rotated, one way to refresh the secrets is by crashing the function with an error status code after the secrets were rotated and no longer work. This should trigger a rerun of the Lambda function, so the secret values will be resolved again.
Ensure that your Lambda function IAM role has the usual IAM permissions needed to access the secrets in AWS Secrets Manager.
No additional configuration is required. The extension uses the AWS SDK's default credential provider chain and connects to the region of each secretmanager ARN.
In case you have many variables and secrets you may run into the 4KB limit of Lambda environment variables.
As a workaround for this limitation, you can now also pass the list of secrets in an SSM parameter given through the SECRETS_PARAMETER_NAME or SECRETS_PARAMETER_ARN environment variables.
The format of the data stored in the SSM parameter is a JSON dictionary as below:
{
"SECRET_FOO": "arn:aws:secretsmanager:eu-central-1:1234567890:secret:secret/name/foo",
"SECRET_BAR": "arn:aws:secretsmanager:eu-central-1:1234567890:secret:secret/name/bar"
}The tool will fetch that SSM parameter, parse its value and create environment variables for each secret mentioned inside the data, in our case FOO and BAR.
It's recommended to generate this SSM parameter using your IaC tool of chouce, for example Terraform can do this very nicely.
Prerequisites
- Docker
- make
- Rust 1.69 or later
-
Clone this repository:
git clone https://github.com/your-username/resolve-aws-secrets.git cd resolve-aws-secrets -
Build the Docker image (optional):
export DOCKER_USERNAME=your-dockerhub-username export DOCKER_PASSWORD=your-dockerhub-password make
Contributions are welcome, feel free to submit issues or Pull Requests as usual.
This project is @2024 Cristian Magherusan-Stanciu of leanercloud.com, and licensed under the MIT License.
Check out more of our projects at github.com/LeanerCloud.