This is an example application consisting of an AWS Lambda Function that decodes and creates the signature for a JWT.

The input is an SQS event (an SQS queue trigger) where the body is the JWT.

To simulate more of a real world scenario, there is a request to Systems Manager for a parameter called jwt-example-secret.

This is not the right way to go about things of course, and this would be handled in a different way, but is indicative of how a secret should be stored outside of a Lambda function.

To create this parameter, simply use the aws ssm put-parameter AWS CLI command. More in-depth info can be found on this page in the AWS documentation or by typing aws ssm put-paramter help in the AWS CLI.

SSM can also create SecureString paramters that use the default KMS key, a customer managed key, or a custom AWS KMS key. Then the key is encrypted