snippetMinor
How to storing encrypted secrets in code for a serverless.com project?
Viewed 0 times
encryptedserverlesssecretsprojectforhowcodecomstoring
Problem
With serverless.com, the easiest way to expose a secret to an AWS Lambda function is to store it in the
But committing encrypted secrets to Git is not the best thing in the world. Requires code changes when the secret has to change, for one thing.
But in terms of security alone, what are better alternatives? e.g. the secret could be stored in S3 (encrypted), with the Lambda given access to that location and KMS key, but is that actually better in any meaningful way?
serverless.yml file (encrypted with KMS, for example).But committing encrypted secrets to Git is not the best thing in the world. Requires code changes when the secret has to change, for one thing.
But in terms of security alone, what are better alternatives? e.g. the secret could be stored in S3 (encrypted), with the Lambda given access to that location and KMS key, but is that actually better in any meaningful way?
Solution
There are a couple of elements to consider here:
-
It is valuable to have the capability to maintain configuration with a separate release cadence from the code that is being configured. Doing so encourages rotation of credentials in an automated manner, do it regularly make it painless.
-
It is entirely reasonable from an "Infrastructure as Code" point of view to store all configuration in Git, albeit probably in a different repository as the scope of configuration is likely to span more than one service.
-
Assuming both of the above statements are relevant to your situation, I would be inclined to encrypt the data with KMS and store it in S3 or DynamoDB. I would even go so far to say that in very simple situations it might be suitable to encrypt and store the data within KMS itself.
There are several open source libraries that will support this operation:
-
It is valuable to have the capability to maintain configuration with a separate release cadence from the code that is being configured. Doing so encourages rotation of credentials in an automated manner, do it regularly make it painless.
-
It is entirely reasonable from an "Infrastructure as Code" point of view to store all configuration in Git, albeit probably in a different repository as the scope of configuration is likely to span more than one service.
-
Assuming both of the above statements are relevant to your situation, I would be inclined to encrypt the data with KMS and store it in S3 or DynamoDB. I would even go so far to say that in very simple situations it might be suitable to encrypt and store the data within KMS itself.
There are several open source libraries that will support this operation:
- Python: CredS3
- Go: Sneaker
Context
StackExchange DevOps Q#543, answer score: 7
Revisions (0)
No revisions yet.