By default, the plugin creates secrets to the file kms-secrets.[stage].[region].yml. This can be overriden with the secretsFile parameter in the serverless-kms-secrets configuration.
Add Decrypt permissions to your lambda function with e.g. this block in IamRoleStatements:
So you keep the secrets file locally? What if you are on a team and want to deploy this through CI/CD? Would you handle that on there?
You use AWS KMS. Here's a nice Serverless plugin. :)
nordcloud / serverless-kms-secrets
🔑🔐☁️ Serverless plugin to encrypt variables with KMS
Serverless KMS Secrets
A Serverless Plugin for the Serverless Framework which helps with encrypting service secrets using the AWS Key Management Service (KMS)
Introduction
This plugins does the following:
Installation and configuration
In your service root, run:
Add the plugin to
serverless.yml
:Configure the plugin into the custom block in
serverless.yml
. For example:By default, the plugin creates secrets to the file kms-secrets.[stage].[region].yml. This can be overriden with the secretsFile parameter in the serverless-kms-secrets configuration.
Add Decrypt permissions to your lambda function with e.g. this block in IamRoleStatements:
Usage
Creating KMS Key
Create a KMS key in AWS IAM service, under Encryption keys. Collect…