feature: Resolve environment variables with values of the Secrets Manager

[miztch]

Hello, I would like to use some secret values stored in the Secrets Manager as environment variables for my existing Lambda functions.
I intend to use lambroll in new deploy pipeline(simply done with build source on S3 and lambroll runs on CodeBuild). Unless if we do not use AWS Parameters and Secrets Lambda Extension, Terraform state, or anything else, we need to implement the logic to retrieve the secret value by scratch.

For example, in CloudFormation, it can be resolved to the secret value with the following format.

{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}

https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html

It is assumed that it would be difficult to accept this request since you wrote in your blog that lambroll only does processes that can be performed by Lambda API, but I created the issue because it might be some of your inspiration.
(Or if you have any ideas to resolve this situation, I feel really appreciated to hear that!)

Thank you.

[fujiwara]

Hi.

I suggest to use handlename/ssmwrap for the workaround.

ssmwrap can look up values in the SSM parameter store and run a specified command with environment variables that are set by these values.

$ ssmwrap --names /path/to/foo -- sh -c 'echo $FOO'
value of foo

And SecretManager's secrets can be read via SSM parameter store with the prefix '/aws/reference/secretsmanager'.

So, by these methods, you can run lambroll with environment variables from SecretsManager.

$ ssmwrap --names /aws/reference/secretsmanager/mysecret -- lambroll ...

function.json

{
  "Environment": {
    "Variables": {
      "MYSECRET": "{{ must_env `MYSECRET` }}"
    }
  },
  // ...
}

---

But, this solution is complex a little.

I'm planning to introduce ssm template function, the same as ecspresso.
https://github.com/kayac/ecspresso#ssm

[fujiwara]

@miztch But, I don't recommend setting secrets into Lambda environment variables directly.

Secrets are exposed as plain text if someone can read the lambda function configuration.

If you try this method, please consider that risk.

[miztch]

Thank you for your immediate reply! I will try the workaround you suggested.

Also, I am already aware of the security risks you pointed out. Thanks for this one as well.
I will also tell my application engineer to eventually modify the code to get it in the function code, as I do not think it is appropriate to include plain text values in environment variables.

[miztch]

Thank you for the other day.

In my project, I found it difficult to retrieve the secret value using ssmwrap because the secret value was not just a value, but a key/value pair. So I solved this issue by implementing a little custom script.

Therefore I am willing to let you close this issue.

Since we are considering managing these secret values with SSM, there may be an opportunity to use the SSM plugin you implemented in #319. Thanks again for listening to my voice 🙏

[fujiwara]

Hi!
lambroll v1.0 has an ssm template function. Please try it!

https://github.com/fujiwara/lambroll?tab=readme-ov-file#expand-ssm-parameter-values

[miztch]

Thanks! I'm now installing it for some functions!