AWS Lambda: How to store secret to external API?

Here is what I've come up with. I'm using AWS KMS to encrypt my secrets into a file that I upload with the code to AWS Lambda. I then decrypt it when I need to use them.

Here are the steps to follow.

First create a KMS key. You can find documentation here: http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

Then encrypt your secret and put the result into a file. This can be achieved from the CLI with:

aws kms encrypt --key-id some_key_id --plaintext "This is the scret you want to encrypt" --query CiphertextBlob --output text | base64 -D > ./encrypted-secret

You then need to upload this file as part of the Lambda. You can decrypt and use the secret in the Lambda as follow.

var fs = require('fs');var AWS = require('aws-sdk');var kms = new AWS.KMS({region:'eu-west-1'});var secretPath = './encrypted-secret';var encryptedSecret = fs.readFileSync(secretPath);var params = {  CiphertextBlob: encryptedSecret};kms.decrypt(params, function(err, data) {  if (err) console.log(err, err.stack);  else {    var decryptedSecret = data['Plaintext'].toString();    console.log(decryptedSecret);  }});

I hope you'll find this useful.

As of AWS Lambda support for NodeJS 4.3, the correct answer is to use Environment Variables to store sensitive information. This feature integrates with AWS KMS, so you can use your own master keys to encrypt the secrets if the default is not enough.

Well...that's what KMS was made for :) And certainly more secure than storing your tokens in plaintext in the Lambda function or delegating to a third-party service.

If you go down this route, check out this blog post for an existing usage example to get up and running faster. In particular, you will need to add the following to your Lambda execution role policy:

"kms:Decrypt","kms:DescribeKey","kms:GetKeyPolicy",

The rest of the code for the above example is a bit convoluted; you should really only need describeKey() in this case.