stackoom
  简体   繁体   中英

How do I use the AWS CLI to set encrypted Lambda environment variables?

 原文  2017-02-25 14:34:47       amazon-web-services/ encryption/ aws-lambda/ aws-cli

Question

I have AWS Lambda environment variables locally that would like to encrypt with a specific KMS key and assign to an Lambda function.

I'd thought that something like 

aws lambda update-function-configuration --function-name functionName --cli-input-json file://config.json

with config.json as 

{
  "Environment": {
    "Variables": {
      "var01": "Variable one",
      "var02": "Variable two"
    }
  },
  "KMSKeyArn": "arn:aws:kms:us-west-1:09238573743:key/...."
}

would accomplish this. But the variables end up un-encrypted. The "KMSKeyArn" seems only to be used to decrypt (eg within the function's handler with boto3.client('kms').decrypt ).

How do I use the AWS CLI to take local (unencrypted) values, ideally specified on JSON, and assign them as encrypted values for Lambda function's environment variables using a specific KMS key (and assure that same key is assigned to the function for use by boto3.client('kms').decrypt ?

I'd also like to be sure that my variables are never transmitted as plain text (that is, that the encryption occurs locally), if possible.

1 answers

solution1
 6 ACCPTED  2017-02-27 08:53:12

Unlike AWS console that is built to make multiple calls that can span various services, AWS CLI makes a single call. That is why $ aws lambda update-function-configuration won't encrypt our variables.

Therefore, in order to accomplish this, we just need two commands:

$ aws kms encrypt --key-id **** --plaintext "Variable one"

And then take the cipher text from the result, and use it as the variable:

$ aws lambda update-function-configuration --function-name functionName --kms-key-arn **** --environment Variables={var01=XXXXXXXXX}

-- Edit :

The key that we can set in argument to the aws lambda update-function-configuration command is for the at-rest encryption. (As in the console)

For the environment variables decryption, there is no need to tell the lambda which key it has to use, as this information is on the cipher text. But we have to be sure le lambda can get access to the key, by setting in AWS IAM the role of the lambda as a user of the key.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use encrypted environment variables in AWS Lambda? How to set environment variables in AWS lambda using Python How do I use the AWS CLI to do a lambda serverless deployment for a dotnet 5 project How to encrypt environment variables for Lambda via CLI? When using the AWS CLI lambda invoke, is there a way to pass environment variables? How do I set & fetch Environment variable in AWS Lambda Project in C# How can I run the aws-cli in an AWS Lambda Python 3.6 environment? AWS Lambda: How to get environment variables How to decrypt AWS Lambda Environment Variables How do I use Grequests on AWS Lambda?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM