Introduction
All you need to do is to create a serverless.yml
file, with some default configurations, and a deployment user all set up, and you shall be deploying in no time.
Now imagine that you need to store credentials like MySQL user and password.
You can store them in .env.*
files, and serverless can easily export them as environment variables for your AWS lambdas.
But should you be doing so?!
Photo by Luther.M.E. Bottrill on Unsplash
NO!!
Why is that?!
Because that means revealing your secrets in your GitHub repositories (or some other platforms) publicly (if your repo is private/internal, then no issue).
You can use GitHub secrets (which are not revealed publicly in your GitHub repositories), but there is no easy integration with serverless. Moreover, if you are already using AWS (with serverless), chances are, you might be using AWS Secrets Manager already.
Photo by Kristina Flour on Unsplash
Does serverless support this?
Serverless does natively support AWS Secrets Manager in serverless.yml
file.
You can use a configuration like:
custom:
secret: ${ssm:/path/to/secureparam}
So that means you need to define a custom.secret
attribute, JSON parse it, and then write all the environment variables (that are used by AWS Lambdas) in serverless.yml
file referencing this secret.
Seems like a lot of work.
Any plugin for this?!
Plugin time
I went through all serverless plugins that had remotely anything to do with AWS Secrets Manager.
But I found none that served my use-cases. Which were:
- Allows me to integrate directly with environment variables
- I'm already using
.env.*
files. I don't want to redefine these variables in serverless.yml - I need the plugin to run during all the serverless lifecycle hooks I want
- I need the secret integration to happen during build stage (and not during runtime)
- Easily determine the secrets from
.env.*
files. Can use a prefix search for a keyword like:secret:
- Works without much plugin configuration
Well, I found none.
So I went ahead and decided to create a serverless plugin myself. Plugin time!!
Photo by Techivation on Unsplash
Hello, Plugin!
Without much further ado, here is my plugin: https://github.com/robin-thomas/serverless-aws-secrets
Serves all my use-cases, and more. Feedbacks are welcome.
Show me some love by starring the project on GitHub!
If you like to contribute, take a look at some of the open issues!
Top comments (0)