AmirFone
commented
5 months ago Maybe use AWS Systems Manager and then fetch at runtime as a best practice, and a secure solution
Open yuvadm opened 5 months ago
AmirFone
commented
5 months ago Maybe use AWS Systems Manager and then fetch at runtime as a best practice, and a secure solution
yuvadm
commented
5 months ago @AmirFone interesting proposal, but right now I'm using a very lean deployment of Lambda/Chalice and would prefer a solution that does not involve any additional AWS products that will bloat my deployment.
Ecitperbo
commented
1 month ago An intermediary solution is to commit config.json.default like this:
{
"stages": {
"prod": {
"environment_variables": {
"MY_SECRET_KEY": "$MY_SECRET_KEY"
}
}
}
}Then, just before plan+deploy call (In ci/cd or manual script):
cat .chalice/config.json.default | envsubst > .chalice/config.json
This will replace $MY_SECRET_KEY with what is currently inside MY_SECRET_KEY env variable.
Of course, the secret will be present in the deployed archive, (make sure it is eventually destroyed) but at least it is not committed.
Documentation states that all environment variables, global or per-stage, should be set in
.chalice/config.json.However, assuming
config.jsonis committed to source control, this is a bad practice that commit secrets to a shared project.Setting environment variables directly through the AWS Lambda web UI is a non-solution since they will be deleted / overridden on the next
chalice deploy.What's the best way to store env vars in a secure way that also allows committing
config.jsonto source control?