Closed DwayneCoussement closed 3 years ago
Hi @DwayneCoussement, thanks for bringing this up! Something like this is relatively easy possible with the Soto for AWS library.
The following code assumes that you are comfortable with Promises/Futures (Most node developers are 😉).
import SotoCore
import SotoSSM
import NIO
import AWSLambdaEvents
import AWSLambdaRuntime
class YourFancyLambdaHandler: EventLoopLambdaHandler {
typealias In = YourEventIn
typealias Out = YourEventOut
let someSecret: String
let httpClient: HTTPClient
let awsClient: AWSClient
enum StartUpError: Error {
case couldNotFindStageEnvironmentVariable
case couldNotReadSomeSecret
}
static func start(_ context: Lambda.InitializationContext) -> EventLoopFuture<ByteBufferLambdaHandler> {
let httpClient = HTTPClient(eventLoopGroupProvider: .shared(context.eventLoop))
let awsClient = AWSClient(httpClientProvider: .shared(httpClient))
let ssm = SSM(client: awsClient, region: .eucentral1)
return context.eventLoop.makeSucceededFuture(())
.flatMapThrowing { _ -> String in
guard let stage = Lambda.env("STAGE") else {
throw StartUpError.couldNotFindStageEnvironmentVariable
}
return stage
}
.flatMap { stage in
return ssm.getParameters(.init(names: ["/service/\(stage)/your-secret"]))
}
.flatMapThrowing { (result) -> ByteBufferLambdaHandler in
guard let value = result.parameters?.first?.value else {
throw StartUpError.couldNotReadSomeSecret
}
return YourFancyLambdaHandler(httpClient: httpClient, awsClient: awsClient, someSecret: value)
}
}
func handle(context: Lambda.Context, event: YourEventIn) -> EventLoopFuture< YourEventOut> {
// you can use your secret here. it's not even an optional
}
}
Lambda.run(YourFancyLambdaHandler.start)
If you have any further questions please reach out.
Hi @fabianfett,
First of all thanks for the quick response 🙏 Secondly I wanted to thank you for your great tutorials, they really helped me out a lot! I was aware of the Soto project, but never used it.
I do wonder if we shouldn't leverage this kind of functionality within this project, as we'd probably want to enable people to write them as secure as possible. Though I see as well a point that the AWS ecosystem is so big that there's plenty tons of alike features that can follow the same reasoning.
In any case, I'll take a look at Soto to figure this out, it seems pretty straightforward as well.
Cheers,
Dwayne
Expected behavior
In node you can do the following:
See also: https://chrisschuld.com/2020/07/aws-retrieving-secrets-in-parameter-store-with-node/
Actual behavior
Have a way to use the SecretsManager inside a Swift Lambda as well.