{"id":16842461,"url":"https://github.com/psypherpunk/aws-lambda-secrets-wrapper-rs","last_synced_at":"2025-03-18T05:27:34.211Z","repository":{"id":76756944,"uuid":"469490928","full_name":"PsypherPunk/aws-lambda-secrets-wrapper-rs","owner":"PsypherPunk","description":null,"archived":false,"fork":false,"pushed_at":"2023-12-01T20:55:37.000Z","size":112,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-24T12:13:57.086Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PsypherPunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-13T20:47:19.000Z","updated_at":"2024-02-06T20:53:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"b6e0c8e1-7e79-4076-b8fe-9517a092f047","html_url":"https://github.com/PsypherPunk/aws-lambda-secrets-wrapper-rs","commit_stats":null,"previous_names":[],"tags_count":37,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PsypherPunk%2Faws-lambda-secrets-wrapper-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PsypherPunk%2Faws-lambda-secrets-wrapper-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PsypherPunk%2Faws-lambda-secrets-wrapper-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PsypherPunk%2Faws-lambda-secrets-wrapper-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PsypherPunk","download_url":"https://codeload.github.com/PsypherPunk/aws-lambda-secrets-wrapper-rs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244162459,"owners_count":20408531,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T12:46:14.692Z","updated_at":"2025-03-18T05:27:34.189Z","avatar_url":"https://github.com/PsypherPunk.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `aws-lambda-secrets-wrapper-rs`\n\nThis idea was inspired by AWS'\n[documentation](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper-example)\non extensions to the AWS Lambda runtime process and the inability to securely\npass secrets to AWS Lambda, much\n[as you can](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/)\nwith AWS ECS.\n\n## Why?\n\nTo pass a secret to AWS Lambda, you can either:\n\n- pass the ARN as an environment variable and have your Lambda retrieve the\n  secret at runtime;\n- pass the secret itself as an environment variable, encrypting the environment\n  variables with KMS and restricting access to the key.\n\nBoth work, are valid and offer a secure way of handling secrets.\n\nThis is purely an attempt at an alternative wherein:\n\n- you don't have to write code to retrieve those secrets: that should be\n  managed by the runtime and passed to the Lambda, which can remain blissfully\n  unaware;\n- you don't have to be concerned about encrypting any secrets and managing the\n  cost and concerns of yet another key.\n\n## How?\n\nIf you want want to pass a secret, say an obviously-named environment variable\nlike `DATABASE_PASSWORD`, to an AWS Lambda, there are a few steps:\n\n- add an *layer* to the Lambda containing a release from this repository;\n- pass the ARN of the secret—itself securely stored in AWS Secrets Manager—to the\n  AWS Lambda, with an environment variable suffixed with `_SECRET_ARN`;\n- set the environment variable `AWS_LAMBDA_EXEC_WRAPPER` (the value will always\n  be `/opt/secrets-wrapper`.)\n\nIn Terraform, this might look like:\n\n```hcl\nresource \"aws_lambda_layer_version\" \"this\" {\n  filename            = \"aws-lambda-secrets-wrapper-0.1.0.zip\"\n  layer_name          = \"wrapper\"\n}\n\nresource \"aws_lambda_function\" \"this\" {\n  layers = [\n    aws_lambda_layer_version.wrapper.arn,\n  ]\n\n  environment {\n    variables = {\n      AWS_LAMBDA_EXEC_WRAPPER      = \"/opt/secrets-wrapper\"\n      DATABASE_PASSWORD_SECRET_ARN = \"arn:aws:secretsmanager:eu-west-1:…:secret:…\"\n    }\n  }\n}\n```\n\nWhen your Lambda runs, this will retrieve the secret from Secrets Manager via\nthe ARN and make the resulting value available to the Lambda, minus the\n`_SECRET_ARN` suffix.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsypherpunk%2Faws-lambda-secrets-wrapper-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpsypherpunk%2Faws-lambda-secrets-wrapper-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsypherpunk%2Faws-lambda-secrets-wrapper-rs/lists"}