How to use environment variables with a Lambda function? (and how to encrypt them with KMS)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you have a lambda function with hard-coded secrets maybe it's a secret token to some API service safer to not store the secrets in the code you can use environment variables to extract these keys from your code and in this video we'll see how to do that with a lambda function but even better you can encrypt these secrets using AWS KMS key management service and then let you learn the function the crib them using its permissions we'll learn how to do it as well let's get started by looking at the lambda function we have this function that is called lambdas secret and in this function we have two variables secret 1 and secret 2 and they contain hard coded secrets and the function returns a string that prints the secrets back to us let's try to run it and see how it works these are the secrets that are hard-coded in the function the fact that these secrets are hard-coded in here is a problem for two reasons first reason is that it's not secure because whoever gets access to our code will get access to the secrets while it can be bad enough that someone got an authorized access to see the code it will be much worse if they also get access to see these secrets and use them themselves the second reason this is not the best idea is because if you want a deploy function across several environments then on these environments the secrets will always remain the same so let's say we want to use a different secret for our testing environment a different one for the Q environment and the different one for production we won't be able to do it if the secrets are hard-coded to solve both of these problems we can extract these secrets and turn them into environment variables if you'll scroll down we'll see that we have a way to configure environment variables in the console and currently we have zero variables configured so let's extract these two secrets into environment variables I'll copy this value we'll go to the environment variable section and add a new variable we'll call them first secret and second secret once will save we can go back to our code and change the way we load these secrets now we can use the process dot in V objects in our code and it will contain the two variables that we define in our environment variables for secret and second secret so now let's try to save and then run this function again to see that it works the same as it did before we still get both of the secrets secret 1 and secret to return back to us the function works exactly the same but now every time we deploy this function we can use the same code but with different secrets so that's an improvement over what we had but now if you'll scroll down you'll see that both of the secrets are available in here and that means that whoever gets access to our lambda function will also get access to these secrets that's not ideal because maybe we want to give someone access to our function but we don't want to give them access to the secrets what we're going to do is encrypt the secrets and then instead of displaying them here as plain text they will be encrypted in the code of our lambda function we'll need to somehow the creep done to do that we're going to use AWS KMS key management service once we'll create the key we'll use this key to encrypt these values and then we'll give our lambda function permission to access this key and then we'll adjust our allow the function to be able to decrypt these values using the key this way whoever gets access to the lambda function will see the encrypted values here and then if they have access to our key that we use to encrypt these values they'll be able to decrypt them if not then they'll just have this encrypted value and they won't be able to use it let's encrypt these secrets by going to the kms console and creating our key first by the way this channel is all about short and practical videos teaching how to build backends using AWS AWS is powerful cheap and flexible but not always the easiest to figure out and the documentation can be a little overwhelming so the goal of this channel is to simplify everything in bite-sized videos if this is something that interests you make sure to subscribe because a lot of new videos are coming soon in the kms console we'll create a new key we'll use the symmetric key let's click Next and we'll call it video key we don't need to define any administrative permissions but on the next step we do need to define a key usage permission because we want to allow our lanta function to access this key so let's go back to the lambda console and if you scroll up and go to permissions will see the execution role for this function we need to copy this role because this is the role that we use to define which permissions this lambda function has and what it can access and what it cannot to get an overview of roles and AWS I am in general which we use to configure permissions you can check out the video that I'll link to below we'll go back to the kms console and we'll find our alumna function by the role and we'll add this function which means that this function can now access the key that we were creating now that our key was created we can start using it so let's go back to our alum the function let's switch back to configuration and scroll down to the environment variables we'll click Edit and now if we'll go to encryption configuration we have the option to enable helpers for encryption and transit this simply gives us two buttons to encrypt these values using a key we choose so you'll hit encrypt and then choose the key that we just created we'll be able to encrypt this value so instead of being displayed as plain text it will be encrypted if you'll hit the the crypt secret snippets we can see an example here that shows how to decrypt this code in our lambda function we'll use our own code for this because the code that we're given in here is not very flexible let's just go over it how it looks first it uses the AWS SDK then it reads the environment variable into an encrypted variable and it defines and the set variable as well the main idea from the snippet is that when we decrypt these values we should only do it once per along the process we don't want to decrypt these values every time are allowing the function is called we only want to do it once when this lambda is loaded and then save it in this case it saves the decrypted value into this decrypted variable and then every time we need to use this descripted value we already have it stored and we don't need to call the kms service every time the other interesting thing is that we don't need to specify which key we're using to decrypt these secrets since we gave our lambda function permission to access the key that we use to encrypt these values kms will automatically know to use the secret when we decrypt them so all we have to do is call kms decrypt and then we'll have access to our secret in plain text and we can use it in our function but as you can see this snippet is designed to work only with the single variable we have an encrypted variable and a decrypted variable so we can't use it to load several variables and also we want to make it a little nicer we'll use our own code and this code will also be available in an open-source github repository which I'll link to in the description of this video so for now let's close it and encrypt our secret as you can see our secret is no longer displayed but instead we have this encrypted value let's also encrypt our second secrets we'll save and now both of our secrets are no longer displayed in the console now we have these two encrypted values so whoever has access to the console can no longer read these secrets now they also need to have access to our kms key in order to be able to decrypt these values and give us the secrets that we stored the problem is that are allowing the function still doesn't know how to decrease these values if I'll try to run it now will give us back that encrypted values and that's not good because that's not the secrets that we want to use what we want to do is adjust our alumna function to be able to decrypt these values and get the same secrets as before now we'll need to find some way to decrypt this environment variables we'll need some sort of a function let's call it the crypt secret and this function should be able to decrypt the secret and then cash it for subsequent requests instead of passing the actual value we'll pass the name of the secret we'll need to use a weight here because this function will need to make a request to kms so now this function will take the name of the secret it will check the cache if this value exists or not if it does it will return back to us and if not it will make a request to AWS kms so let's see how this function should be implemented in the description of this video a link to the repository that contains the demo code for this video and if you'll go to the utils file we'll see the implementation of such a decrypt secret function let's copy it or along the function will create a new utils file will copy our code and now let's import this function in our handler now let's go over the function to see how it is implemented we use the AWS SDK we initiate it here and then we define at the cryptid object this object will hold the decrypted values so we won't have to call KMS each time we want to decrypt a secret we pass the secret name and then we check if the secret name exists in the decrypted objects already we will log it to the console that we're returning the cached value and then we'll return the decrypted value back from the function otherwise if it does not exist yet we will log that we're going to decrypt this value and then we'll try to decrypted using kms again note that we don't need to specify the name of the key that we created because kms will be able to not automatically by the permissions finally we store the decrypted value in our decrypted object and return it back from the function now let's try to run our function and see how it works and that the values are actually cached so now we actually get the decrypted values like before first secret and second secret our lambda function knows how to take the environment variables and then decrypt them using the lambdas permissions and we also see some entries to our log since this is the first time we call this lambda function it creates a new process and it's going to decrypt the first secret and the second secret but if you'll call the lambda function again since this function already has a process running it will return the cash value it doesn't need to call kms again because the decrypted values are already stored in our decrypted object we started the video with secrets which were hard-coded in our code we then saw how to extract them to environment variables and finally we saw how to decrypt them using a key from AWS kms and then how to decrypt them as well now if someone has access to our code base or even our lambda function they still won't be able to know the secrets that we use in the code unless of course we leave them as comments if you learn something from this video please hit the like button so this video will reach more people and if you would like to get notified when I upload more videos about building backends using AWS please subscribe to this channel
Info
Channel: BiteSize Academy
Views: 7,771
Rating: undefined out of 5
Keywords: aws, lambda, secret, key, environment, variable, kms, management, service, backend, process, env, serverless, nodejs, javascript
Id: J9QKS0NrH7I
Channel Id: undefined
Length: 12min 44sec (764 seconds)
Published: Fri May 08 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.