Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

In AWS Lambda, where can I securely store API Credentials?

Tags:

amazon-web-services

aws-lambda

aws-api-gateway

I have a lambda function configured through the API Gateway that is supposed to hit an external API via Node (ex: Twilio). I don't want to store the credentials for the functions right in the lambda function though. Is there a better place to set them?

like image 953
Toli Avatar asked Feb 09 '16 17:02

Toli

People also ask

What is the most secure way to store passwords on AWS?

Encrypt your secret data Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service (AWS KMS). Many AWS services use AWS KMS for key storage and encryption. AWS KMS ensures secure encryption of your secret when at rest.

Is API gateway to Lambda encrypted?

Since API Gateway uses Lambda API and Lambda API is only supported on HTTPS, it makes sense to assume communication between API Gateway and Lambda is encrypted. Show activity on this post. The short answer is yes.

2 Answers

While I haven't done it myself yet, you should be able to leverage AWS KMS to encrypt/decrypt API keys from within the function, granting the Lambda role access to the KMS keys.

like image 31
Michael Lapidakis Avatar answered Sep 22 '22 05:09

Michael Lapidakis

The functionality to do this was probably added to Lambda after this question was posted.

AWS documentation recommends using the environment variables to store sensitive information. They are encrypted (by default) using the AWS determined key (aws/lambda) when you create a Lambda function using the AWS Lambda console.

It leverages AWS KMS and allows you to either: use the key determined by AWS, or to select your own KMS key (by selecting Enable encryption helpers); you need to have created the key in advance.

From AWS DOC 1...

"When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service. When your Lambda function is invoked, those values are decrypted and made available to the Lambda code.

The first time you create or update Lambda functions that use environment variables in a region, a default service key is created for you automatically within AWS KMS. This key is used to encrypt environment variables. However, should you wish to use encryption helpers and use KMS to encrypt environment variables after your Lambda function is created, then you must create your own AWS KMS key and choose it instead of the default key. The default key will give errors when chosen."

The default key certainly does 'give errors when chosen' - which makes me wonder why they put it into the dropdown at all.

Sources:

  • AWS Doc 1: Introduction: Building Lambda Functions » Environment Variables
  • AWS Doc 2: Create a Lambda Function Using Environment Variables To Store Sensitive Information
like image 153
Nigel Avatar answered Sep 22 '22 05:09

Nigel
Sign in to Comment

Related questions

How do I get the AccountId as a variable in a serverless.yml file?
AWS Lambda scheduled event source via cloudformation
How to update multiple items in a DynamoDB table at once
AWS Lambda - How to stop retries when there is a failure
How do I set up cloud-init on custom AMIs in AWS? (CentOS)
AWS Configure Bash One Liner
Why does AWS RDS Aurora have the option of "Multi-AZ Deployment" when it does replication across different zones already by default?
Terraform: what does AssumeRole: Service: ec2 do?
How to access/ping a server located on AWS?
How to install NGINX on AWS EC2 Linux 2 [closed]
AWS Lambda Function is returning "Cannot find module 'index'" yet the handler in the config is set to index
Parsing secrets from AWS secrets manager using AWS cli
Application Load Balancers vs API Gateway
Is multi-AZ RDS really worth it? [closed]
Terraform: Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource
Redirect http:// requests to https:// on AWS API Gateway (using Custom Domains)
Redshift. Convert comma delimited values into rows
Aws S3 Filter by Tags. Search by tags
AWS Cognito User Pool without a password
Web Hosting on Amazon AWS (PHP + MySQL)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!