We're currently obfuscating the secrets used by Minerva by encrypting the lambda functions' environmental variables using a AWS KMS Customer Managed Key, which prevents AWS users from viewing the secrets by denying them the ability to view the environmental variables at all. This isn't ideal.
A good alternative would be to use the AWS Systems Manager Parameter Store (or AWS Secrets Manager, but that costs money so no), which also allows you to encrypt secrets using KMS but without having them be in your environmental variables.
Usually, you would have to make a request to AWS to retrieve all your secrets every time your Lambda is invoked, but these secrets can be cached through use of the AWS Parameter and Secrets Lambda extension. This is currently tricky to implement as secrets are frequently used at the top level of a module and therefore in order to retrieve them, we'd have to make use of top-level awaits (or some similar async shenanigans), which is not possible with CommonJS imports (Typescript pog!?!?)
We're currently obfuscating the secrets used by Minerva by encrypting the lambda functions' environmental variables using a AWS KMS Customer Managed Key, which prevents AWS users from viewing the secrets by denying them the ability to view the environmental variables at all. This isn't ideal.
A good alternative would be to use the AWS Systems Manager Parameter Store (or AWS Secrets Manager, but that costs money so no), which also allows you to encrypt secrets using KMS but without having them be in your environmental variables.
Usually, you would have to make a request to AWS to retrieve all your secrets every time your Lambda is invoked, but these secrets can be cached through use of the AWS Parameter and Secrets Lambda extension. This is currently tricky to implement as secrets are frequently used at the top level of a module and therefore in order to retrieve them, we'd have to make use of top-level awaits (or some similar async shenanigans), which is not possible with CommonJS imports (Typescript pog!?!?)