DEV Community


Discussion on: A crash course on serverless-side rendering with React.js, Next.js and AWS Lambda

bitttttten profile image

So you keep the secrets file locally? What if you are on a team and want to deploy this through CI/CD? Would you handle that on there?

adnanrahic profile image
Adnan Rahić Author

You use AWS KMS. Here's a nice Serverless plugin. :)

nordcloud / serverless-kms-secrets

🔑🔐☁️ Serverless plugin to encrypt variables with KMS

Serverless KMS Secrets

A Serverless Plugin for the Serverless Framework which helps with encrypting service secrets using the AWS Key Management Service (KMS)


This plugins does the following:

  • It provides commands to encrypt and decrypt secrets with KMS

Installation and configuration

In your service root, run:

npm install --save-dev serverless-kms-secrets

Add the plugin to serverless.yml:

  - serverless-kms-secrets

Configure the plugin into the custom block in serverless.yml. For example:

    secretsFile: kms-secrets.${opt:stage, self:provider.stage}.${opt:region, self:provider.region}.yml (optional)
  kmsSecrets: ${file(kms-secrets.${opt:stage, self:provider.stage}.${opt:region, self:provider.region}.yml)}

By default, the plugin creates secrets to the file kms-secrets.[stage].[region].yml. This can be overriden with the secretsFile parameter in the serverless-kms-secrets configuration.

Add Decrypt permissions to your lambda function with e.g. this block in IamRoleStatements:

    - Effect: Allow
      - KMS:Decrypt
      Resource: ${self:custom.kmsSecrets.keyArn} 


Creating KMS Key

Create a KMS key in AWS IAM service, under Encryption keys. Collect…