DEV Community

Cover image for How To Effectively Manage Sensitive Information in AWS Lambda: Powertools Parameters
Rahul Nath
Rahul Nath

Posted on • Originally published at rahulpnath.com

How To Effectively Manage Sensitive Information in AWS Lambda: Powertools Parameters

When building Lambda Functions, we often need to store configuration and sensitive information.

AWS Provides different services like Parameter Store, Secrets Manager, etc., to store sensitive information.

The AWS Lambda Powertools library makes it easy to work with these different services and retrieve one of their multiple parameter values.

In this blog post, let’s learn how to get started using the Lambda Powertools Parameters NuGet package, use it when building Lambda Functions, and connect quickly to Parameter Store and Secrets Manager using the library package.

AWS Powertools Parameters Package

Powertools Parameters utility is available as a NuGet package. To get started using it from the application, install AWS.Lambda.Powertools.Parameters NuGet package.

Once installed, we can use it to integrate with the various AWS Services to manage secrets and configuration.

AWS Lambda & Parameters Store

AWS Parameter Store is a centralized, secure store for your application configuration.

Parameter Store, a part of AWS Systems Manager, provides secure storage for application configuration and secret data. As parameter values, you can store passwords, database strings, Amazon Machine Image (AMI) IDs, API Keys, etc.

AWS Parameter Store For The .NET Developer: How to Easily Get Started

Learn how to get started with AWS Parameter Store and use it from a .NET application to store and retrieve configuration data. Understand how parameters are versioned and how to use labels and hierarchies to manage parameters better. Seamlessly use the built-in .NET Configuration capabilities to loa

favicon rahulpnath.com

Parameter Store makes decoupling your code from configuration easy and acts as version control for your configuration data.

Retrieving Secrets From Parameter Store

You can either retrieve one or multiple secrets at a time from the Parameter Store.

The Powertools Parameter utility provides the ParametersManager.SsmProvider utility class to interact with the Parameter Store.

    var value = await ParametersManager.SsmProvider.GetAsync("/Value1");
    var multiple = await ParametersManager.SsmProvider
         .GetMultipleAsync("/weather-app/");
Enter fullscreen mode Exit fullscreen mode

Use GetAsync method to retrieve one value and the GetMultipleAsync method to return multiple values given a key prefix.

In the example about, value represents the value of the key '/Value', and multiple has all the parameter key values that start with '/weather-app'.

Lambda Permissions for Parameter Store

For the Lambda Function to retrieve values from the Parameter Store, it needs appropriate permissions.

Let's update the IAM permission of our Lambda function and add the below policy to give it permission to retrieve the required keys.

To retrieve one parameter, we need the ssm:GetParameter and for multiple ssm:GetParametersByPath Action permissions. The below policy provides all actions starting with 'ssm:GetParameter', which is denoted by the '*' at the end.

{
  "PolicyName": "OrderApiParametersStorePolicy",
  "PolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ssm:GetParameter*",
        "Resource": [
          "arn:aws:ssm:ap-southeast-2:189107071895:parameter/Value1",
          "arn:aws:ssm:ap-southeast-2:189107071895:parameter/weather-app/*"
        ]
      }
    ]
  }
}
Enter fullscreen mode Exit fullscreen mode

Transforming Parameter Store Values

The Parameters utility supports transforming of values stored in Parameter Store.

For e.g., the parameter '/my-configuration' is stored as JSON in the Parameter Store.

When retrieving the value, we can use the WithTransformation and specify to use JSON Transformation. This allows us to automatically deserialize the configuration to a custom type that we specify (in this case MyConfiguration)

var myConfiguration = await ParametersManager.SsmProvider.WithTransformation(Transformation.Json)
     .GetAsync<MyConfiguration>("/my-configuration");
...
public class MyConfiguration
{
    public string Secret { get; set; }
    public string Url { get; set; }
}
Enter fullscreen mode Exit fullscreen mode

The utility also supports Base64 transformation.

AWS Lambda & Secrets Manager

AWS Secrets Manager provides a centralized store to manage your application secrets.

Secrets can be information like passwords, credentials, connection strings, API keys, etc. Secrets Manager helps you protect access to your IT resources and data by enabling you to rotate and manage access to your secrets.

How Best To Secure Secrets When Building .NET Applications on AWS

Learn how to get started with using AWS Secrets Manager using a .NET Application. We will learn to connect to Secrets Manager from .NET using the client SDK and retrieve secrets. We will also see how to integrate Secrets Manager into built-in .NET Configuration and seamlessly use secrets from our ap

favicon rahulpnath.com

Retrieving Secrets From Secrets Manager

The Parameters utility provides ParametersManager.SecretsProvider to retrieve secrets from the Secrets Manager.

Secrets Manager currently supports only retrieving one secret value at a time. Trying to use the GetMultipleAsync method will throw an exception at runtime.

var secret1 = await ParametersManager.SecretsProvider
       .GetAsync("weather-app/secret1");
Enter fullscreen mode Exit fullscreen mode

Lambda Permissions for Secrets Manager

The Lambda Function requires secretsmanager:GetSecretValue permission on the Secret Values to return them successfully.

Let's update the IAM Permission also to include the required permission to retrieve the Secret from Secrets Manager, as shown below.

{
  "PolicyName": "OrderApiSecretsStorePolicy",
  "PolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": [
          "arn:aws:secretsmanager:ap-southeast-2:189107071895:secret:weather-app/secret1*"
        ]
      }
    ]
  }
}
Enter fullscreen mode Exit fullscreen mode

DynamoDB Provider

The Parameters utility also supports using the DynamoDB table as a source of Parameter key values.

You can use the ParametersManager.DynamoDBProvider to interact with the configurated DynamoDB table to return key-value pair.

I'll leave that exercise to you to explore and use. You can read more about it here in the documentationkey-value.

Top comments (0)