Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how do I use aws secret manager with nodejs lambda

Tags:

I tried to wrap the example code snippet to get secrets in a function and then call it but it does not appear to be working. I suspect I am calling it asynchronously and I need to call it synchronously? I just want a function I can call to get a secret value and put it in a var.

this is the function:

//outside exports.handler = (event, context, callback) => { function getSecret(secretName) {   // Load the AWS SDK   var AWS = require('aws-sdk'),       region = process.env.AWS_REGION,       secretName = secretName,       secret,       decodedBinarySecret;    // Create a Secrets Manager client   var client = new AWS.SecretsManager({       region: region   });    // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.   // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html   // We rethrow the exception by default.    client.getSecretValue({SecretId: secretName}, function(err, data) {       if (err) {           if (err.code === 'DecryptionFailureException')               // Secrets Manager can't decrypt the protected secret text using the provided KMS key.               // Deal with the exception here, and/or rethrow at your discretion.               throw err;           else if (err.code === 'InternalServiceErrorException')               // An error occurred on the server side.               // Deal with the exception here, and/or rethrow at your discretion.               throw err;           else if (err.code === 'InvalidParameterException')               // You provided an invalid value for a parameter.               // Deal with the exception here, and/or rethrow at your discretion.               throw err;           else if (err.code === 'InvalidRequestException')               // You provided a parameter value that is not valid for the current state of the resource.               // Deal with the exception here, and/or rethrow at your discretion.               throw err;           else if (err.code === 'ResourceNotFoundException')               // We can't find the resource that you asked for.               // Deal with the exception here, and/or rethrow at your discretion.               throw err;       }       else {           // Decrypts secret using the associated KMS CMK.           // Depending on whether the secret is a string or binary, one of these fields will be populated.           if ('SecretString' in data) {               return data.SecretString;           } else {               let buff = new Buffer(data.SecretBinary, 'base64');               return buff.toString('ascii');           }     }   }); } 

Then I call it

// inside exports.handler = (event, context, callback) => { var secret = getSecret('mySecret') console.log('mysecret: ' + secret ) 

The secret var is always undefined

EDIT: Async only works with promises so I had to make my function async and return a promise:

async function mySecrets(secretName) {     // Load the AWS SDK     var AWS = require('aws-sdk'),         region = process.env.AWS_REGION,         secretName = secretName,         secret,         decodedBinarySecret;      // Create a Secrets Manager client     var client = new AWS.SecretsManager({         region: region     });      return new Promise((resolve,reject)=>{         client.getSecretValue({SecretId: secretName}, function(err, data) {              // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.             // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html             // We rethrow the exception by default.             if (err) {                 reject(err);             }             else {                 // Decrypts secret using the associated KMS CMK.                 // Depending on whether the secret is a string or binary, one of these fields will be populated.                 if ('SecretString' in data) {                     resolve(data.SecretString);                 } else {                     let buff = new Buffer(data.SecretBinary, 'base64');                     resolve(buff.toString('ascii'));                 }             }         });     }); }  ..... // inside handler exports.handler = async (event) => { .... var value = await mySecrets('mysecret') 
like image 623
red888 Avatar asked Aug 23 '19 01:08

red888


People also ask

Can Lambda Access secrets Manager?

Your lambda function will be able to execute all Secrets Manager actions on the secret.

How do you pass AWS Lambda secrets?

Use AWS PrivateLink and configure a Secrets Manager specific VPC endpoint. Do not store plaintext secrets in Lambda environment variables. Ensure that you do not embed secrets directly in function code, commit these secrets to code repositories, or log the secret to CloudWatch.

How do I retrieve credentials in AWS secrets Manager from AWS Lambda?

In the security group attached with AWS Lambda, edit the inbound rules and add TCP protocol for 443 range with source as itself. By setting up the endpoints and having proper inbound rule in security group, you can retrieve credentials from AWS Secrets Manager through AWS Lambda function running in VPC.

Does AWS Lambda support node JS?

AWS Lambda now supports Node. js 16 as both a managed runtime and a container base image. Developers creating serverless applications in Lambda with Node. js 16 can take advantage of new features such as support for Apple silicon for local development, the timers promises API, and enhanced performance.


1 Answers

You need wait for the async call to finish.

Inside your main handler you will have something like:

// inside your main handler exports.handler =  async function(event, context) {     var secret = await getSecret('mySecret')     console.log('mysecret: ' + secret )      return ...     } 
like image 106
iwaduarte Avatar answered Oct 13 '22 05:10

iwaduarte