Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

serverless - aws - SecureLambdaFunction env

Tags:

serverless

serverless-framework

I'm having the following case:

I setting several environments variables on my serverless.yml file like:

ONE_CLIENT_SECRET=${ssm:/one/key_one~true}
ONE_CLIENT_PUBLIC=${ssm:/one/key_two~true}

ANOTHER_SERVICE_KEY=${ssm:/two/key_one~true}
ANOTHER_SERVICE_SECRET=${ssm:/two/key_two~true}

let' say I have like 10 envs, when I try to deploy I get the following error:

An error occurred: SecureLambdaFunction - Lambda was unable to configure your environment variables because the environment variables you have provided exceeded the 4KB limit. String measured: JSON_WITH_MY_VARIABLES_HERE

So I cannot deploy, I have an idea of what the problem is but I dont have a clear path to solve it, so my questions are:

1) How can I extend the 4Kb limit?
2) assuming my variables are set using SSM, I'm using the EC2 Parameter store to save them. (this is more related to a serverless team or someone that knows the topic) how does it work behind the scenes? - when I run sls deploy does it fetch for the values and included on the .zip file? (this is what I think it does, I just want to clarify) or does it fetch the values when I exec the lambdas? I'm asking cause I go to the aws lambda console and I can see em set there.

Thanks!

like image 769
andresmijares Avatar asked Nov 07 '22 20:11

andresmijares

1 Answers

After taking a look around in deep, I came with the following conclusion:

Using this pattern ONE_CLIENT_SECRET=${ssm:/one/key_one~true} means that the sls framework is going to download the values on compilation time and embed into the project, this is where the problem comes, you can see this after uploading the project, your variables are going to be set on plain text on the lambda console.

My solution was to use a middy middleware to load ssm values when executing the lambda. This means, you need to code your project in a way that does not trigger any code until the variables are available and find a good strategy to catch the variables (cold start), otherwise, it will add more time to the execution.

The limit of 4Kb cannot be changed and after read about this, it seems obvious.

So short story, find a strategy of middleware and embed values that work best for you if you find this problem.

like image 119
andresmijares Avatar answered Dec 03 '22 03:12

andresmijares
Sign in to Comment

Related questions

Page works on initial page load, but if i refresh the page I get an 404 error with Zeit, Nextjs & now
Is it possible to specify more than one method for an API Gateway -> Lambda mapping?
How to access plugin output in serverless.yml of Serverless Framework?
Circular dependency between resources: CognitoUserPool and environment
How to avoid headers passed back to API Gateway from Lambda via Serverless framework being remapped?
Finding logs for lambda function errors in AWS Cloudwatch?
Troubles with "X-Forwarded-*" headers in HTTP request done by AWS Lambda
How to make readline work in a python subprocess?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!