Coder Social home page Coder Social logo

serverless-ssm-kms's Introduction

Description

This project demonstrate how you can to use AWS System Manager and KMS with Lambda application.

Pre Requirements

  • You must have an AWS account
  • You must have Serverless Framework installed
  • You must have IAM permission to write and read in SSM (see policy.json file in the repository)

Steps

1 - Creating KMS Key

Command:

aws kms create-key --description kms-poc-test

Output:

{
    "KeyMetadata": {
        "AWSAccountId": "<Account ID>",
        "KeyId": "xxxxxxx-8be9-448a-b2aa-xxxxxxxxxx",
        "Arn": "arn:aws:kms:us-east-1:<Account ID>:key/xxxxxxx-8be9-448a-b2aa-xxxxxxxxxx",
        "CreationDate": 1620302223.000,
        "Enabled": true,
        "Description": "kms-poc-test",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ]
    }
}

The attributes KeyId and Arn will used next steps. You will need it to encrypt parameter and setting serverless.yml.

2 - Storing parameters

Storing parameter as plain text value:

aws ssm put-parameter --name PLAIN_VALUE --value 123456 --type String

Storing parameter encrypted

aws ssm put-parameter --name SECRET_VALUE --value 123456 --type SecureString  --key-id <KeyId>

3 - Creating project

sls create --template aws-nodejs --name <PROJECT-NAME>

4 - Setting serverless.yml

...
custom:
  arnKmsKey: <Arn> #ARN value generated in the first step
  settings:
    SECRET_VALUE: ${ssm:SECRET_VALUE}
    PLAIN_SECRET_VALUE: ${ssm:SECRET_VALUE~true} #TRUE means decrypt parameter to the Lambda
    PLAIN_VALUE: ${ssm:PLAIN_VALUE}
...    
provider:
  ...
  environment: ${self:custom.settings}
  iamRoleStatements:
    - Effect: Allow
      Action:
        - kms:Decrypt
        - kms:Encrypt
      Resource:
        - ${self:custom.arnKmsKey}  
    - Effect: Allow
      Action:
        - states:*
        - secretsmanager:*        
      Resource: '*'  
functions:
  hello:
    handler: handler.hello
    kmsKeyArn: ${self:custom.arnKmsKey}       
...

5 - Getting parameters

  const secretValue      = process.env.SECRET_VALUE
  const plainSecretValue = process.env.PLAIN_SECRET_VALUE
  const plainValue       = process.env.PLAIN_VALUE

6 - Deploying project

sls deploy -v

Notice

All parameters defined in custom > setting section will be injected as environment variables in the settings of Lambda.

serverless-ssm-kms's People

Contributors

waelson avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.