Support customer-managed KMS key for environment variables

[brandond]

Optional, of course

[jarosser06]

@brandond Would you mind elaborating on what you are thinking with this request.

[brandond]

See this section of the documentation: http://docs.aws.amazon.com/lambda/latest/dg/env_variables.html#env_encrypt

If you use the Lambda management console and enable environment variable encryption, the console has some back-end functionality to encrypt the plaintext content of the variables that you enter into the web form using the KMS key specified. The ciphertext is then stored in the lambda configuration The Lambda code you write then has to make some KMS calls to decrypt the contents. Sample code for this is provided in the console as well.

From a lambda-uploader perspective, the implementation should probably function similarly - make a KMS call to encrypt the plaintext variable contents, using the specified KMS key, and store the ciphertext in place of the original contents.

[martinb3]

From a lambda-uploader perspective, the implementation should probably function similarly - make a KMS call to encrypt the plaintext variable contents, using the specified KMS key, and store the ciphertext in place of the original contents.

It seems like this would require we:

1. Have some way to mark which secrets should be encrypted
2. Prompt for the plaintext version of those secrets
3. Have a feature or wrap the aws kms CLI feature so that we can encipher the secrets
4. Be able to set the ciphertext in an environment variable(s)

[nsaje]

could use https://github.com/Zemanta/py-secretcrypt for this