Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to pass value of NODE_EXTRA_CA_CERTS to AWS Lambda deployed with Serverless?

I am deploying a Node AWS Lambda with Serverless. Due to the internal requirements of the institution in which this code will be run, I need to pass extra certificates. The only solution I've been able to find is to pass NODE_EXTRA_CA_CERTS as a CLI argument. Using typical environmental variables (defined, for example, in dotenv) does not work because by that point in Node the certificates have already been configured.

My extra certs are in MyCerts.pem in the project root, and the Lambda function I'm trying to run is called function1. Running the Lambda locally with NODE_EXTRA_CA_CERTS=./MyCerts.pem npx serverless invoke local -f function1 -l works correctly. However, once I deploy to AWS using npx serverless deploy -v, I cannot find a way to properly include these additional certs, including by invoking from the CLI using NODE_EXTRA_CA_CERTS=./MyCerts.pem npx serverless invoke -f function1 -l.

I've tried everything I can think of and am at a loss. Can someone help?

like image 442
223seneca Avatar asked Feb 27 '20 22:02

223seneca


People also ask

Can I use AWS SDK in Lambda?

To integrate the latest version of an AWS SDK into your Lambda function's deployment package, create a Lambda layer, and then add it to your function. You can use either the AWS Command Line Interface (AWS CLI) or the Lambda console to create a Lambda layer and add it to your function.

What is the entry point of a Nodejs Lambda?

The handler is the entry point for the Lambda. A Lambda function accepts JSON-formatted input and will usually return the same.

How to add a certificate to a Lambda layer?

However, they are using .NET Core and the AWS SAM, but it should be easy to adapt the solution to serverless and Node.js. Create a Lambda layer which holds your additional certificate file [2] [3] Add the environment variable NODE_EXTRA_CA_CERTS to your serverless.yml and point the path at the file you uploaded in your Lambda layer [4]

Does node_extra_CA_Certs work in lambda?

I don't think NODE_EXTRA_CA_CERTS works in Lambda. I tried setting it as an environment variable to a dummy file that doesn't exist. It did not generate a warning as stated by the documentation so I assume it was ignored.

Does NodeJS use the keychain to find the CA certificate?

However, in my company like so many other companies TLS requests are re-signed with the company's own custom CA certificate which I have on my machine in the keychain (OS X). However, nodejs does not use the keychain to get its list of CA's to trust. I don't control the ionic-cli app so I can't simply pass in a { ca: } property to the https module.

Is secure_getenv a security issue for AWS Lambda?

I guess the "secure_getenv" security measure in node.js which causes trouble and is mentioned in the docs - as you pointed out correctly - should not be an issue for AWS Lambda. Very interesting. I wonder why so many people are having issues with it, if it just works. Maybe they set the variable to the wrong path an do not get an error log.


1 Answers

I think this should definitely be possible in AWS Lambda.
There is an example on dev.to [1] which is similar to your use case. However, they are using .NET Core and the AWS SAM, but it should be easy to adapt the solution to serverless and Node.js.

Basically, you need two steps:

  1. Create a Lambda layer which holds your additional certificate file [2][3]
  2. Add the environment variable NODE_EXTRA_CA_CERTS to your serverless.yml and point the path at the file you uploaded in your Lambda layer [4]

References

[1] https://dev.to/leading-edje/aws-lambda-layer-for-private-certificates-465j
[2] https://www.serverless.com/plugins/serverless-layers
[3] https://www.serverless.com/blog/publish-aws-lambda-layers-serverless-framework
[4] https://www.serverless.com/blog/serverless-v1.2.0

like image 138
Martin Löper Avatar answered Oct 22 '22 05:10

Martin Löper