robin-thomas / serverless-aws-secrets Goto Github PK

Rather than exposing the secret during the build stage (sls deploy), figure out a way whereby the secret shall be exposed only during runtime.

Some possible ways:

1. Replace all instances of process.env.SECRET_ENV_VAR with a shim that connects to AWS Secrets Manager and retrieve the secret during runtime
2. Encrypts the secret during build stage, and decrypt it during runtime
3. Inject the secret into code (not safe, since the secret can be determined by anyone who can see the lambda code)

Read through the environment variables and check if an environment variable is supposed to be a secret but it is not.

For inspiration, refer: https://github.com/serverless/safeguards-plugin/blob/master/safeguards/policies/no-secret-env-vars.js

Possible cli configuration:

• --env-file: path to the env file
• --secret-prefix: to determine the secrets within the env file
• --secret-id: id of the secret to look for in AWS Secrets Manager
• --verbose: support for verbose logging

• serverless.yml

service: hellow
frameworkVersion: '3'
custom:
  serverless-aws-secrets:
    secretId: test

provider:
  name: aws
  runtime: nodejs18.x
  region: ap-northeast-2
  environment:
    TEST: secret:TEST

functions:
  test:
    handler: index.handler

plugins:
  - serverless-aws-secrets

typing sls aws-secrets --verbose
It ran right

DOTENV: Loading environment variables from .env:
[serverless-aws-secrets]: Running the command: sls aws-secrets
[serverless-aws-secrets]: Loading secret: test in ap-northeast-2
✔ [serverless-aws-secrets]: Secret: TEST, Value: good

but when I typed a console.log , It didn't run right

{
   ...
   TEST: 'secret:TEST',
   ...
}

how should I do??
can i forgot something?

my environment
language : nodejs

Is it possible to add some logging for this plugin, like what are the secret keys that are replaced by this plugin?

Right now, it logs only when an error occurs. Good to have some verbose logging.

Thanks for making this plugin!

Possible cli configuration:

• --serverless-file: path to the serverless.yml file
• --secret-id: id of the secret to look for in AWS Secrets Manager
• --verbose: support for verbose logging
• --dry-run: shows possible secrets and values they shall be replaced by

Add tweet button to the top of README.md

Can use a link like:

At the moment, we support only 2 serverless lifecycle hooks:

• before:package:initialize
• offline:start:init

See whether we can accept a list of lifecycle hooks (besides the 2 above) from the user as a custom configuration

Creating end-to-end tests for the plugin won't be an easy task. Some considerations:

• Check how to extend sls deploy to get the Cloudformation output (without actually deploying anything)
• Take a look at: https://www.serverless.com/plugins/serverless-plugin-test-helper

We are using the custom property (from serverless.yml) here:

Add schema validation for these properties, like mentioned here: https://www.serverless.com/framework/docs/guides/plugins/custom-configuration

The plugin replaces the environment variables defined under provide.environment key in serverless.yml.

Rather than restricting to this, replace the ones that can be defined like:

functions:
  function1:
    handler: index.handler
    env:
      ...

Also, make provider.environment as optional so that the plugin wont crash if its not set.

Since Node.js v18 shall reach its end-of-life on 18 Oct 2023, update to Node.js v20 after this.

Possible cli configuration:

• --file: path to the env file
• --secret-id: id of the secret to look for in AWS Secrets Manager
• --verbose: support for verbose logging