Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/robin-thomas/serverless-aws-secrets

🛵 Serverless plugin that reads environment variables and replaces secrets using AWS Secrets Manager 🛵
https://github.com/robin-thomas/serverless-aws-secrets

aws aws-lambda aws-secrets-manager environment-variables javascript jest secrets-manager security serverless serverless-plugin typescript

Last synced: 3 months ago
JSON representation

🛵 Serverless plugin that reads environment variables and replaces secrets using AWS Secrets Manager 🛵

Awesome Lists containing this project

README 

        


  
Serverless AWS Secrets Tweet




  
A Serverless Plugin for the Serverless Framework, which can replace environment variables with secrets from AWS Secrets Manager.


  


    

  





  

    

  

  

    

  

  

  

  

    

  

  

    

  

  




## Introduction



If you are using a serverless plugin like [Serverless Dotenv Plugin](https://github.com/neverendingqs/serverless-dotenv-plugin), then you shall be having `.env.*` files that looks like:



```

MYSQL_USERNAME=username

MYSQL_PASSWORD=password

```



Rather than storing these secrets in your `.env.*` file, you can instead store them in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). This plugin will then replace the environment variables (that are already loaded into Serverless framework) with the secrets from AWS Secrets Manager.



You need to change your above `.env.*` files to:



```

MYSQL_USERNAME=secret:MYSQL_USERNAME

MYSQL_PASSWORD=secret:MYSQL_PASSWORD

```



The plugin will then search within AWS Secrets Manager (refer to `secretId` configuration) for a secret with the name `MYSQL_USERNAME` and `MYSQL_PASSWORD` and replace the environment variables with the secret value.



Secrets are recognized as environment variables whose name started with a pre-defined prefix. (refer to `secretPrefix` configuration below).



## Getting Started



These instructions will help you integrate this plugin into your serverless service.



### Prerequisites



You need to have the below softwares running on your system:



* [Node.js v18](https://nodejs.org/en) - You can use [NVM](https://github.com/nvm-sh/nvm) to setup Node.js in your system

* [Git](https://git-scm.com/) - You can download from [here](https://git-scm.com/downloads)

* [Serverless](https://www.serverless.com/) - Refer [here](https://github.com/serverless/serverless/blob/main/docs/getting-started.md) on how to get started



### Installing the plugin



Run below command to install the plugin:



```

$ npm install --save-dev serverless-aws-secrets

```



Add the plugin to `serverless.yml`:



```

plugins:

  - serverless-aws-secrets

```



This will run the plugin during the below serverless hooks:

* `before:package:initialize`

* `offline:start:init`



### Configuring the plugin



The plugin can be configured by:



```

custom:

  serverless-aws-secrets:

    secretId: ...

    secretPrefix: ...

```



* `secretId`: Location of the secret in AWS Secrets Manager. Default: `${provider.stage}/${app}-${service}`



* `secretPrefix`: Prefix of the secret name in AWS Secrets Manager. Default: `secret:`



## CLI commands



This plugin also exposes a CLI command that can be used along with serverless.



### Display the secret values



```

$ sls aws-secrets --verbose

```



This will display the output:



```

[serverless-aws-secrets]: Running the command: sls aws-secrets

[serverless-aws-secrets]: Loading secret: {secretId} in {provider.region}

✔ [serverless-aws-secrets]: Secret: {secretKey}, Value: {secretValue}

```



## Local Development



These instructions will help you to run the project in your local.



### Setup



Run the below commands to setup the project:



```

$ git clone [email protected]:robin-thomas/serverless-aws-secrets.git

$ cd serverless-aws-secrets

$ nvm use 18

$ npm install

```



### Running the tests



You can run the unit tests written in [Jest](https://github.com/jestjs/jest) by running:



```

$ npm run test

```



## Versioning



We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/robin-thomas/serverless-aws-secrets/tags).



## License



This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.