Menu
I have a lambda function that used to use encrypted environmental variables set in the lambda configuration but I no longer need them. I tried removing the env variable in the UI and it no longer shows up but still seeing in the logs:
"Found credentials in environment variables."
I also tried using the update-function-code command without passing an env variable which doesn't work.
Any way to remove the encrypted env variables from my lambda function configuration? I want to ensure unused/unneeded things are removed.
Thanks!
905
To prevent IAM identities from accessing passwords, keys, or other sensitive information in your Lambda environment variables, do the following: Use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the environment variables.
Click on "Decrypt" button one by one. Choose the AWS KMS key which you prefer to use for encryption Lambda function environment variable in transit. Python developers building the Lambda function code will get the code block required to decrypt each environment variable.
You can use environment variables to store secrets securely for use with Lambda functions. Lambda always encrypts environment variables at rest. By default, Lambda uses an AWS KMS key that Lambda creates in your account to encrypt your environment variables. This AWS managed key is named aws/lambda .
I believe it is a standard output from the inner workings of python lambdas that use boto. None of my python Lambdas have credentials and yet I have the same message in all logs of python lambdas.
121
I know it's a little late to this, but here is my understanding.
The statement "Found credentials in environment variables." does not have anything to do with the environment variables you configured. Apparently, Lambda has a set of reserved environment variables and when your code tries to connect to other AWS services (like S3, SNS etc), Lambda tries to read the credentials from reserved environment variables to make a connection to the other service and in the process logs the statement about where it found the credentials to "stdout"
According to this article, when you have a logger configured with INFO level, then all the .info() statements by your code and the AWS SDK will be logged to "stdout" and thereby ending up in CloudWatch logs. Try setting the logger level to WARNING and observe the logs.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
