DEV Community

Cover image for Using Secrets in Serverless
Robin Thomas
Robin Thomas

Posted on • Originally published at Medium

Using Secrets in Serverless

Introduction

All you need to do is to create a serverless.yml file, with some default configurations, and a deployment user all set up, and you shall be deploying in no time.

Now imagine that you need to store credentials like MySQL user and password.

You can store them in .env.* files, and serverless can easily export them as environment variables for your AWS lambdas.

But should you be doing so?!

Don't expose your secrets publicly

Photo by Luther.M.E. Bottrill on Unsplash

NO!!

Why is that?!

Because that means revealing your secrets in your GitHub repositories (or some other platforms) publicly (if your repo is private/internal, then no issue).

You can use GitHub secrets (which are not revealed publicly in your GitHub repositories), but there is no easy integration with serverless. Moreover, if you are already using AWS (with serverless), chances are, you might be using AWS Secrets Manager already.

AWS Secrets Manager

Photo by Kristina Flour on Unsplash

Does serverless support this?

Serverless does natively support AWS Secrets Manager in serverless.yml file.

You can use a configuration like:

custom:
  secret: ${ssm:/path/to/secureparam}
Enter fullscreen mode Exit fullscreen mode

So that means you need to define a custom.secret attribute, JSON parse it, and then write all the environment variables (that are used by AWS Lambdas) in serverless.yml file referencing this secret.

Seems like a lot of work.

Any plugin for this?!

Plugin time

I went through all serverless plugins that had remotely anything to do with AWS Secrets Manager.

But I found none that served my use-cases. Which were:

  • Allows me to integrate directly with environment variables
  • I'm already using .env.* files. I don't want to redefine these variables in serverless.yml
  • I need the plugin to run during all the serverless lifecycle hooks I want
  • I need the secret integration to happen during build stage (and not during runtime)
  • Easily determine the secrets from .env.* files. Can use a prefix search for a keyword like: secret:
  • Works without much plugin configuration

Well, I found none.

So I went ahead and decided to create a serverless plugin myself. Plugin time!!

Serverless AWS Secrets plugin

Photo by Techivation on Unsplash

Hello, Plugin!

Without much further ado, here is my plugin: https://github.com/robin-thomas/serverless-aws-secrets

Serves all my use-cases, and more. Feedbacks are welcome.

Show me some love by starring the project on GitHub!

If you like to contribute, take a look at some of the open issues!

Top comments (0)