This Lambda Layer provides a safe and efficient way to generate environment variables for your Lambda functions based on values stored in AWS Secrets Manager.
This bash script acts as a wrapper for your Lambda function, performing the following tasks:
- The Lambda service responds to an event and initializes the Lambda context.
- The wrapper script is called as part of the Lambda init phase.
- The wrapper script calls a Golang executable passing in the ARN for the secret to retrieve.
- The Golang executable uses the Secrets Manager API to retrieve the decrypted secret.
- The wrapper script converts the information into environmental variables and calls the next step in processing.
- The script creates a temporary file to store environment variables.
- It executes a Rust binary (
env-vars-from-secrets-manager) that:- Retrieves the specified secrets from AWS Secrets Manager.
- Processes the secrets according to the prefix and transformation options.
- Writes the environment variables to the temporary file.
- The variables in the temporary file are loaded into the environment.
- The script handles the layer execution chain, ensuring that it executes correctly if there are multiple layers.
- Finally, it executes the Lambda function with the configured environment.
To use this layer in your Lambda function:
- Add this layer to your Lambda function configuration.
- Set the following environment variables in your Lambda function:
AWS_LAMBDA_EXEC_WRAPPER:/opt/retrieve-secretsSECRETS_ARN: ARNs of the secret in AWS Secrets Manager separated by commas without a space.SECRETS_PREFIX(optional): Optional prefix for generated environment variables.SECRETS_TRANSFORM(optional): Transformation option for variable names (e.g., "lower" for lowercase, "upper" for uppercase).
The layer will automatically retrieve the specified secrets and set them as environment variables before your function code executes.
Examples:
To test the layer locally, you can use the following command:
export SECRETS=arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-name
export PATH=secrets
export PREFIX=secret
export TRANSFORM=upper
make devor
cargo run -- --path secrets --secrets arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-name --transform upper- cargo-lambda: https://www.cargo-lambda.info/guide/getting-started.html
The layer can be deployed for both x86_64 and ARM64 architectures. To deploy the layer to AWS Lambda, follow these steps:
- Ensure you have the necessary AWS credentials and permissions configured.
- Build and deploy for x86_64:
# Build the layer
make build_lambda_x86
# Deploy the layer
make deploy_cli_x86
# Add permissions (requires ORG_ID to be set)
make add_permissions_x86
# Add permissions (requires ACCOUNT_ID to be set)
make add_permissions_by_account_x86- Build and deploy for ARM64:
# Build the layer
make build_lambda_arm
# Deploy the layer
make deploy_cli_arm
# Add permissions (requires ORG_ID to be set)
make add_permissions_arm
# Add permissions (requires ACCOUNT_ID to be set)
make add_permissions_by_account_armThe layers will be deployed with the following names:
x86_64: env-vars-from-secrets-manager
ARM64: env-vars-from-secrets-manager-arm64
Make sure to use the appropriate layer version according to your Lambda function's architecture.
- Ensure that your Lambda function has the necessary IAM permissions to access the specified secrets in AWS Secrets Manager.
- The script creates a temporary file in /tmp to store secrets briefly. This file is deleted immediately after use, but be aware of this transient storage.
- The layer assumes that secrets in AWS Secrets Manager are stored in JSON format.
- There's a limit to the number of environment variables that can be set in a Lambda function. Be mindful of this when retrieving large numbers of secrets.
If you encounter issues:
- Check the CloudWatch logs for your Lambda function. The script logs errors prefixed with [Secret].
- Ensure the
SECRETS_ARN,SECRETS_PREFIX, andSECRETS_TRANSFORMenvironment variables are set correctly. - Verify that your Lambda function has the necessary permissions to access AWS Secrets Manager.