Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

serverless - aws - SecureLambdaFunction env

I'm having the following case:

I setting several environments variables on my serverless.yml file like:

ONE_CLIENT_SECRET=${ssm:/one/key_one~true}
ONE_CLIENT_PUBLIC=${ssm:/one/key_two~true}

ANOTHER_SERVICE_KEY=${ssm:/two/key_one~true}
ANOTHER_SERVICE_SECRET=${ssm:/two/key_two~true}

let' say I have like 10 envs, when I try to deploy I get the following error:

An error occurred: SecureLambdaFunction - Lambda was unable to configure your environment variables because the environment variables you have provided exceeded the 4KB limit. String measured: JSON_WITH_MY_VARIABLES_HERE

So I cannot deploy, I have an idea of what the problem is but I dont have a clear path to solve it, so my questions are:

1) How can I extend the 4Kb limit?
2) assuming my variables are set using SSM, I'm using the EC2 Parameter store to save them. (this is more related to a serverless team or someone that knows the topic) how does it work behind the scenes? - when I run sls deploy does it fetch for the values and included on the .zip file? (this is what I think it does, I just want to clarify) or does it fetch the values when I exec the lambdas? I'm asking cause I go to the aws lambda console and I can see em set there.

Thanks!

like image 769
andresmijares Avatar asked Nov 07 '22 20:11

andresmijares


1 Answers

After taking a look around in deep, I came with the following conclusion:

Using this pattern ONE_CLIENT_SECRET=${ssm:/one/key_one~true} means that the sls framework is going to download the values on compilation time and embed into the project, this is where the problem comes, you can see this after uploading the project, your variables are going to be set on plain text on the lambda console.

My solution was to use a middy middleware to load ssm values when executing the lambda. This means, you need to code your project in a way that does not trigger any code until the variables are available and find a good strategy to catch the variables (cold start), otherwise, it will add more time to the execution.

The limit of 4Kb cannot be changed and after read about this, it seems obvious.

So short story, find a strategy of middleware and embed values that work best for you if you find this problem.

like image 119
andresmijares Avatar answered Dec 03 '22 03:12

andresmijares