{"id":20790502,"url":"https://github.com/docker-production-aws/lambda-secrets-provisioner","last_synced_at":"2025-07-06T19:08:38.558Z","repository":{"id":176607464,"uuid":"112002509","full_name":"docker-production-aws/lambda-secrets-provisioner","owner":"docker-production-aws","description":"AWS Lambda Function for provisioning secrets into the EC2 Systems Manager Parameter Store","archived":false,"fork":false,"pushed_at":"2017-11-26T02:07:24.000Z","size":7,"stargazers_count":5,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-21T11:04:04.414Z","etag":null,"topics":["aws","aws-cloudformation","aws-key-management","aws-kms","aws-lambda","cloudformation","custom-resources","ec2-parameter-store","ec2-systems-manager","key-management","lambda","python","secrets-management"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker-production-aws.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-25T12:38:11.000Z","updated_at":"2021-04-15T10:14:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"903eb07f-712e-4d67-9c86-44047d90fc4c","html_url":"https://github.com/docker-production-aws/lambda-secrets-provisioner","commit_stats":null,"previous_names":["docker-production-aws/lambda-secrets-provisioner"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/docker-production-aws/lambda-secrets-provisioner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-production-aws%2Flambda-secrets-provisioner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-production-aws%2Flambda-secrets-provisioner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-production-aws%2Flambda-secrets-provisioner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-production-aws%2Flambda-secrets-provisioner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker-production-aws","download_url":"https://codeload.github.com/docker-production-aws/lambda-secrets-provisioner/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-production-aws%2Flambda-secrets-provisioner/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263957844,"owners_count":23535605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-cloudformation","aws-key-management","aws-kms","aws-lambda","cloudformation","custom-resources","ec2-parameter-store","ec2-systems-manager","key-management","lambda","python","secrets-management"],"created_at":"2024-11-17T15:35:27.989Z","updated_at":"2025-07-06T19:08:38.526Z","avatar_url":"https://github.com/docker-production-aws.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker in Production using AWS CloudFormation Secrets Provisioner Custom Resource\n\nThis repository defines a CloudFormation custom resource Lamdba function called `secretsProvisioner`, which is included with the Pluralsight course [Docker in Production using Amazon Web Services](https://app.pluralsight.com/library/courses/docker-production-using-amazon-web-services/table-of-contents).\n\nThis function is a CloudFormation custom resource that securely provisions secrets into the EC2 systems manager parameter store.\n\n## Branches\n\nThis repository contains two branches:\n\n- [`master`](https://github.com/docker-production-aws/lambda-secrets-provisioner/tree/master) - represents the initial starting state of the repository as viewed in the course.  Specifically this is an empty repository that you are instructed to create in the module **Managing Secrets in AWS**.\n\n- [`final`](https://github.com/docker-production-aws/lambda-secrets-provisioner/tree/final) - represents the final state of the repository after completing all configuration tasks as described in the course material.\n\n\u003e The `final` branch is provided as a convenience in the case you get stuck, or want to avoid manually typing out large configuration files.  In most cases however, you should attempt to configure this repository by following the course material.\n\nTo clone this repository and checkout a branch you can simply use the following commands:\n\n```\n$ git clone https://github.com/docker-production-aws/lambda-secrets-provisioner.git\n...\n...\n$ git checkout final\nSwitched to branch 'final'\n$ git checkout master\nSwitched to branch 'master'\n```\n\n## Errata\n\nNo known issues.\n\n## Further Reading\n\n- [Systems Manager Parameter Store Docs](http://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)\n\n## Build Instructions\n\nTo complete the build process you need the following tools installed:\n\n- Python 2.7\n- PIP package manager\n- [AWS CLI](https://aws.amazon.com/cli/)\n\nAny dependencies need to defined in `src/requirements.txt`.  Note that you do not need to include `boto3`, as this is provided by AWS for Python Lambda functions.\n\nTo build the function and its dependencies:\n\n`make build`\n\nThis will create the necessary dependencies in the `src` folder and create a ZIP package in the `build` folder.  This file is suitable for upload to the AWS Lambda service to create a Lambda function.\n\n```\n$ make build\n=\u003e Building secretsProvisioner.zip...\nCollecting cfn_lambda_handler (from -r requirements.txt (line 1))\nInstalling collected packages: cfn-lambda-handler\n...\n...\nSuccessfully installed cfn-lambda-handler-1.0.0\nupdating: vendor/cfn_lambda_handler_1.0.0.dist-info/ (stored 0%)\nupdating: vendor/cfn_lambda_handler.py (deflated 67%)\nupdating: vendor/cfn_lambda_handler.pyc (deflated 62%)\nupdating: requirements.txt (stored 0%)\nupdating: setup.cfg (stored 0%)\nupdating: secretsProvisioner.py (deflated 63%)\n=\u003e Built build/secretsProvisioner.zip\n```\n\n### Function Naming\n\nThe default name for this function is `secretsProvisioner` and the corresponding ZIP package that is generated is called `secretsProvisioner.zip`.\n\nIf you want to change the function name, you can either update the `FUNCTION_NAME` setting in the `Makefile` or alternatively configure an environment variable of the same name to override the default function name.\n\n## Publishing the Function\n\nWhen you publish the function, you are simply copying the built ZIP package to an S3 bucket.  Before you can do this, you must ensure you have created the S3 bucket and your environment is configured correctly with appropriate AWS credentials and/or profiles.\n\nTo specify the S3 bucket that the function should be published to, you can either configure the `S3_BUCKET` setting in the `Makefile` or alternatively configure an environment variable of the same name to override the default S3 bucket name.\n\n\u003e [Versioning](http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) should be enabled on the S3 bucket\n\nTo deploy the built ZIP package:\n\n`make publish`\n\nThis will upload the built ZIP package to the configured S3 bucket.\n\n\u003e When a new or updated package is published, the S3 object version will be displayed.\n\n### Publish Example\n\n```\n$ make publish\n...\n...\n=\u003e Built build/secretsProvisioner.zip\n=\u003e Publishing secretsProvisioner.zip to s3://123456789012-cfn-lambda...\n=\u003e Published to S3 URL: https://s3.amazonaws.com/123456789012-cfn-lambda/secretsProvisioner.zip\n=\u003e S3 Object Version: gyujkgVKoH.NVeeuLYTi_7n_NUburwa4\n```\n\n## CloudFormation Usage\n\nThis function is designed to be called from a CloudFormation template as a custom resource.\n\nIn general you should create a Lambda function per CloudFormation stack and then create custom resources that call the Lambda function.\n\n### Defining the Lambda Function\n\nThe following CloudFormation template snippet demonstrates creating the Lambda function, along with supporting CloudWatch Logs and IAM role resources:\n\n```\n...\nResources:\n  SecretsProvisionerLogGroup:\n    Type: \"AWS::Logs::LogGroup\"\n    DeletionPolicy: \"Delete\"\n    Properties:\n      LogGroupName:\n        Fn::Sub: /aws/lambda/${AWS::StackName}-secretsProvisioner\n      RetentionInDays: 30\n  SecretsProvisioner:\n    Type: \"AWS::Lambda::Function\"\n    DependsOn:\n      - \"SecretsProvisionerLogGroup\"\n    Properties:\n      Description: \n        Fn::Sub: \"${AWS::StackName} Secrets Provisioner\"\n      Handler: \"secrets_provisioner.handler\"\n      MemorySize: 128\n      Runtime: \"python2.7\"\n      Timeout: 300\n      Role: \n        Fn::Sub: ${SecretsProvisionerRole.Arn}\n      FunctionName: \n        Fn::Sub: \"${AWS::StackName}-secretsProvisioner\"\n      Code:\n        S3Bucket: \n          Fn::Sub: \"${AWS::AccountId}-cfn-lambda\"\n        S3Key: \"secretsProvisioner.zip\"\n        S3ObjectVersion: \"gyujkgVKoH.NVeeuLYTi_7n_NUburwa4\"\n  SecretsProvisionerRole:\n    Type: \"AWS::IAM::Role\"\n    Properties:\n      Path: \"/\"\n      AssumeRolePolicyDocument:\n        Version: \"2012-10-17\"\n        Statement:\n        - Effect: \"Allow\"\n          Principal: {\"Service\": \"lambda.amazonaws.com\"}\n          Action: [ \"sts:AssumeRole\" ]\n      Policies:\n      - PolicyName: \"SecretsProvisionerPermissions\"\n        PolicyDocument:\n          Version: \"2012-10-17\"\n          Statement:\n          - Sid: Encrypt\n            Effect: Allow\n            Action:\n            - kms:Decrypt\n            - kms:Encrypt\n            Resource:\n              Fn::Sub: arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:key/1234abcd-12ab-34cd-56ef-1234567890ab\n          - Sid: ProvisionSecrets\n            Effect: Allow\n            Action:\n            - ssm:GetParameters\n            - ssm:PutParameter\n            - ssm:DeleteParameter\n            - ssm:AddTagsToResource\n            - ssm:ListTagsForResource\n            Resource:\n              Fn::Sub: arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/*\n          - Sid: ManageLambdaLogs\n            Effect: Allow\n            Action:\n            - logs:CreateLogStream\n            - logs:DescribeLogStreams\n            - logs:PutLogEvents\n            Resource:\n              Fn::Sub: ${SecretsProvisionerLogGroup.Arn}\n...\n...\n```\n\n### Creating Custom Resources that use the Lambda Function\n\nThe following custom resource calls the `SecretsProvisioner` Lambda function when the resource is created, updated or deleted:\n\n```\n  DatabaseSecret:\n    Type: \"Custom::Secret\"\n    Properties:\n      ServiceToken:\n        Fn::Sub: \"${SecretsProvisioner.Arn}\"\n      Name:\n        Fn::Sub: /${AWS::StackName}/database/password\n      Key: JDBC_PASSWORD\n      Value:\n        Ref: DatabasePassword\n      KmsKeyId:\n        Fn::ImportValue: CfnMasterKey\n```\n\nThe following table describes the various properties you can configure when creating a custom resource that uses this Lambda function:\n\n| Property     | Description                                                                                                                                                                                        | Required |\n|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| ServiceToken | The ARN of the Lambda function                                                                                                                                                                     | Yes      |\n| Name         | The name of the parameter to create                                                                                                                                                                | Yes      |\n| Key          | A key to store along with the plaintext version of the secret.  This is typically in the form of an environment variable, which will be stored in the format \u003cENVIRONMENT_VARIABLE\u003e=\u003csecret-value\u003e | Yes      |\n| Value        | The value of the secret.  If provided, the value must be encrypted using KMS.  If not provided, the provisioner with create a random password                                                      | No       |\n| KmsKeyId     | The ID of the KMS key to use to encrypt the parameter when it is provisioned into the parameter store                                                                                              | No       |","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker-production-aws%2Flambda-secrets-provisioner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker-production-aws%2Flambda-secrets-provisioner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker-production-aws%2Flambda-secrets-provisioner/lists"}