Storing and passing credentials to AWS Lambda from Bitbucket
Question
The problem description: I have a python code in Bitbucket which is deployed to the AWS to be executed as a lambda function. The setup is based on this guide: https://bitbucket.org/blog/aws-lambda-deployments-using-bitbucket-pipelines-and-pipes
In the python code, I plan to use credentials (eg for the database access), and the source code is obviously a wrong place to store them.
What is a recommended storage place and way of passing credentials to the lambda function?
Should it be Bitbucket's repository variables? If yes, then how do I pass them to the lambda function's code?
Or should it be AWS Lambda environment variables? Same question then.
1 answers
solution1
1 2022-08-24 07:29:53
You could store them in AWS SSM Parameter Store and fetch them at runtime.
That way you can manage who has access to it. Putting it in env variables will display the secret in plain text to anyone that can see it.
The way I structure is this:
- Put the secret in an encrypted SSM Parameter, this uses a KMS key
- Give your lambda access to the SSM param and the KMS key used through IAM
- in lambda ENV or a configuration file put the path to the SSM Parameter
- in lambda during startup fetch the parameter and put it some static variable so that other executions of the same (non-cold started) lambda don't need fetch it again
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.