Add direct support for Amazon secrets manager about zappa HOT 5 OPEN

Up! I would love to map secrets to env vars instead of exposing them in settings.json

from zappa.

Once you have the ARN you can pull the secret pretty easily. Here is the code I use:

        SECRETSMANAGER = 'secretsmanager'
        secret_name = os.path.expandvars(section[AWS_SECRET_NAME])
        region_name = os.path.expandvars(section[AWS_REGION_NAME])
        session = boto3.session.Session()
        client = session.client( service_name=SECRETSMANAGER,
                                 region_name=region_name)
        try:
            get_secret_value_response = client.get_secret_value( SecretId=secret_name )
        except ClientError as e:
            raise SecretsManagerError(e)
        secret = json.loads(get_secret_value_response['SecretString'])

The ARN is your key to unlocking the secrets! But role under which the Lambda is running needs access to either the specific ARN, or else all ARNs within the secrets manager. This is a pain to set up, and it changes frequently, so tit would be nice for Zappa to automate the creation of the AWS authorizations. I was not suggesting that Zappa get the secret out of the Secrets Manager and put the secret in into the environment.

from zappa.

Something like that would be great

{{resolve:secretsmanager:${secretName}:SecretString:password}

https://github.com/awsdocs/aws-lambda-developer-guide/blob/07fa19fba08e75d549fbfa7131bc57e3f41df018/sample-apps/rds-mysql/template.yml#L44

from zappa.

Right now this is how I'm adding AWS secrets to my zappa_config.json file:

        "environment_variables": {
            "AWS": "YES",
            "DBREADER":"arn:aws:secretsmanager:us-east-1:376778041234:secret:dbreader_prod-734s,
            "DBWRITER":"arn:aws:secretsmanager:us-east-1:376778041234:secret:dbwriter_prod-akana",
        }

I would like to see Zappa do something along these lines:

        "aws_secrets": 
            ["arn:aws:secretsmanager:us-east-1:376778041234:secret:dbreader_prod-734s",
             "arn:aws:secretsmanager:us-east-1:376778041234:secret:dbwriter_prod-akana"],

Zappa would then automatically make sure that the IAM Role that it creates has access to the two ARNs.

from zappa.

@simsong but this way you are just passing ARN to the env, these secrets aren't resolving to actual values?

I'm lookin for the option to pull resolved secrets.

from zappa.