Can AWS Parameter Store variables or secrets be used in CloudFront functions?

[pzrq]

I'm trying to build CSP for a moderately large infrastructure in several environments.

I can copy/paste to hard-code the values already in the parameter store, though am curious to learn if the CloudFront functions can reference AWS Parameter Store variables, as if so it makes transferring the code between environments easier.

[dbrown-git]

You can't use AWS Parameter Store today. I will tag this as feature request.

Is the ask to keep data, like secrets and other variables, separate from the function code? In this case you can update variables without needing to update your function code.

With AWS Systems Manager Parameter Store, you have the choice to store the data encrypted or as plain text. Do you have a requirement to keep the data encrypted or would plain text work?

[pzrq]

@dbrown-git Thank you for replying!

Is the ask to keep data, like secrets and other variables, separate from the function code? In this case you can update variables without needing to update your function code.

Not sure I fully understand that? If there's an AWS Console button/screen/option for that I am not seeing it yet:

As a shortened example that can definitely be public:

function handler(event) {
    var response = event.response;
    var headers = response.headers;

    // CSP - Varies in each environment
    var s3BucketUrls = 'https://bucket1.s3-accelerate.amazonaws.com https://bucket2.s3-accelerate.amazonaws.com'
    // some other things this app needs be wired up to differently in each environment like https, wss, etc 
    // which already exist in AWS Parameter Store string values were redacted here

    // CSP - Please keep the same in all environments    
    var defaultSrc = "default-src 'self'";
    var connectSrc = `connect-src 'self' ${s3BucketUrls}`;  // some other bits redacted here
    var imgSrc = `img-src 'self' ${s3BucketUrls}`;  // some other bits redacted here
    var reportUri = "report-uri https://url.redacted.com/";

    headers['content-security-policy'] = { value: [
        defaultSrc,
        connectSrc,
        imgSrc,
        reportUri
    ].join('; ')};

    return response;
}

With AWS Systems Manager Parameter Store, you have the choice to store the data encrypted or as plain text. Do you have a requirement to keep the data encrypted or would plain text work?

I don't think secrets are needed as CSP is focused on modifying response headers, so my mental model thinks of the results being generally public. Might well be different for incoming requests, though I don't need that.

[econte-sprig]

In this case you can update variables without needing to update your function code.

Reviving this question as I have the same issue. How is it possible to update variables for a cloudfront function without modifying the function code?

[pzrq]

@econte-sprig I don't know of one, though if you find it has been built and just this ticket was not updated, please do provide details, otherwise it's most likely still accurate as being a feature request.

[stschulte]

CloudFront seems to have its own service for that now: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html

[pzrq]

CloudFront seems to have its own service for that now: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html

@stschulte Thank you! From what I can gather I'd very likely consider the shiny new Amazon CloudFront KeyValueStore as a strong candidate for solving my pain point, over any possible (vaporware) AWS Parameter Store or secrets integration.

Further, I no longer have access to the codebase that my question arose from, so I'm happy to call this closed. If others disagree, please feel welcome to open a new issue, referencing this one as appropriate.