AWS Lambda - Encrypted Environment Variable

Environment Variable Creation




After pasting your token you need to encrypt it. This is done by checking the Enable Helpers checkbox.

Prior to hitting the Encrypt option you need to decide which Key to use. Let us use the KMS key that we created above. 
 


When you hit the Encrypt option, you will need to select the key and then hit the Encrypt button.

You will now see the encrypted token in the environment variable. Hit Save to complete the step.


Adding Code to Read Encrypted Environment Variable

The decryption is done via aws-sdk. Here are some lines that need to be added to the code that we had previously used.

These lines need to be added at the top of index.js
var aws = require('aws-sdk');
// Set the region 
aws.config.update({ region: '<your-aws-region>' });

// token is not assigned
let rundeck_auth_token;
// this the encrypted variable from the environment
const encrypted = process.env['rundeck_auth_token'];

These lines need to be added at the top of export.handler function, just after the declaration of the variables.
 
if (!rundeck_auth_token) {
	// Decrypt code should run once and variables stored outside of the
	// function handler so that these are decrypted once per container
	const kms = new aws.KMS();
	try {
		const req = { CiphertextBlob: Buffer.from(encrypted, 'base64') };
		const data = await kms.decrypt(req).promise();
		rundeck_auth_token = data.Plaintext.toString('ascii');
	}
	catch (err) {
		console.log('Decrypt error:', err);
		throw err;
	}
}



Comments

Post a Comment

Popular posts from this blog

Slack & Rundeck Integration Using AWS Services

Image
Overview Your team uses  Rundeck  to automate ad-hoc and routine procedures in a data center or cloud environment. Your team also uses Slack  for collaboration and communication.  Typically Rundeck  jobs are stuck behind a web or command-line interface and are difficult to access.  This tutorial will give you the knowledge to create a  Slack  app to directly invoke a Rundeck  job.  High-Level Design This integration uses the following components: Slash commands created via a custom Slack application point to a URL hosted on the AWS API Gateway AWS API Gateway resource calling an  AWS Lambda function. Lambda function invoking a Rundeck job via Rundeck API. KMS & VPC NAT Gateway are required for security purposes. Steps Rundeck API Setup Rundeck API is an extensive alternative to the web interface. These APIs are implemented using HTTPS POST and secured by an API token.  Login to Rundeck and gener...
Read more

AWS Key Management Service

Image
KMS Key Creation A key needs to be created in the  KMS environment  before it can be used in setting up the environment variable. Select the key administrators from the list. Finally, pick the user and/or roles that can access this policy. Each lambda has a "role" that was created or selected during the creation process. Make sure that you select the "role" correctly. If you have forgotten the "role" that is being used in the lambda function, you can retrieve it from the lambda configuration screen. Once all the parameters have been defined, the key can be saved.
Read more