We've all done it. We start a project and shove API keys into .env files or Lambda Environment Variables. It's fast, it works. But as my "Finance Agent" project matures (Day 34!), handling banking credentials requires a higher standard of security. Today, I implemented Secrets Management using AWS Systems Manager (SSM).
The Problem with Environment Variables
While Environment Variables are better than hardcoding, they have flaws:
They are visible in the AWS Console to anyone with Lambda:GetFunction permission.
They are injected into the runtime process environment, where malicious dependencies could potentially read them.
Updating them requires a deployment/config change.
The Solution: SSM Parameter Store
AWS Parameter Store allows us to store hierarchical data securely.
Step 1: Structuring the Parameters I organized my keys using a path-based hierarchy:
/finance-agent/plaid_client_id (SecureString)
/finance-agent/plaid_secret (SecureString)
Step 2: Least Privilege IAM I created a custom IAM Policy that grants my Lambda function access only to the /finance-agent/* path. Even if this function is compromised, it cannot read secrets from other applications.
Step 3: The Python Implementation Instead of os.environ, I use boto3 to fetch configuration at runtime:
Python
ssm = boto3.client('ssm')
def get_config():
response = ssm.get_parameters_by_path(
Path='/finance-agent/',
WithDecryption=True
)
# Logic to parse response into a dictionary...
Security isn't a feature; it's a foundation. By moving to SSM, I've decoupled my configuration from my code and encrypted my sensitive data at rest.
Top comments (0)