Hey everyone, I'm back and ready to dive into some Serverless func with AWS Lambda. Today, I've set myself a cool goal: I want to figure out how to use a Lambda function to grab a secret credential from AWS Secret Manager, you know, the stuff that's locked up tight by AWS KMS service. I'm all about learning how Lambda can smoothly handle secrets from Secret Manager and whatever other secret stashes are out there.
Alright, check it out. This lab is hooking me up with some sweet Golang code. It's like magic ā this code can summon that parameter from Secret Manager and stash it in Lambdaās memory, all sorted out by the code itself. Talk about slick, right? So, here's to cracking open the door to the secrets realm, and getting cozy with Lambda's skills and the hidden treasures they can unlock. Let's rock this journey! š
Required Golang library
- github.com/aws/aws-lambda-go/lambda
- github.com/aws/aws-secretsmanager-caching-go/secretcache
- errors
- log
- os
Coding
Create a new Golang project.
go mod init $YOUR_PROJECT_NAME
# Example
go mod init lamda-secret
Letās start with first function to ask Lambda handle it.
func main() {
// Parameter in Start(...) is func name to handled
lambda.Start(ExportSecret)
}
Create a function to export your secret value
func ExportSecret() {
// Define new variable for cache object
sc, _ := secretcache.New()
// Get a result from getter function and logged it
word, _ := GetterSecret(sc)
log.Printf("We have a secret word is %s", word)
}
Create a function that get secret from Secret Manager API into cache memory
func GetterSecret(sc *secretcache.Cache) (string, error) {
// Request secret from SecretManager API with Secret ID from ENV
secr, err := sc.GetSecretString(os.Getenv("SECRET_WORD_ID"))
if err != nil {
return "", errors.New("Can't get you secret")
}
return secr, nil
}
Build and upload them to S3 bucket
export BINARY_NAME="lsc"
export GOOS="linux"
export GOARCH="amd64"
export CGO_ENABLED="0"
export S3_BUCKET_NAME=$(aws s3api list-buckets --query 'Buckets[0].Name' --output text)
# Build binary file from code
go build -o $BINARY_NAME lamda-secret
# Compress this file into ZIP format
zip ../../lambda-$BINARY_NAME.zip $BINARY_NAME
# Upload to s3 with aws cli
aws s3api put-object --bucket $S3_BUCKET_NAME --key lambda-$BINARY_NAME.zip --body ./lambda-$BINARY_NAME.zip
Proof your result
Create AWS lambda function and upload your ZIP binary file. Example CLI to create
aws lambda create-function \
--function-name YourFunctionName \
--runtime go1.x \
--role your-iam-role-arn \
--handler your-bin-name \
--zip-file s3-url-with-zip
Manual trigger to Lambda function and you can see result on CloudWatch log group.
aws lambda invoke \
--function-name YourFunctionName
!! Before execute function you should attach IAM role to Lambda and that role will provide below permission.
{
"Id": "AllowLambdaAccessSecret",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowLambdaAccessToSecretManager"
},
{
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:ap-southeast-1:xxxxxx:key/xxxxx-xxx-xxxx-xxxx-xxxxxd96cc",
"Sid": "AllowLambdaAccessToKMSKey"
}
],
"Version": "2012-10-17"
}
Or you can create and invoke function via web console
Reference
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-go.html
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-go_cache.html
- https://docs.aws.amazon.com/lambda/latest/dg/golang-logging.html
Conclusion
š¾Ā Handling secrets within a Lambda function becomes a breeze with the assistance of the AWS SDK. This concept can be seamlessly extended to explore alternative techniques, such as accessing retained secrets, orchestrating secret updates, or even orchestrating the deletion of secrets through automated processes.
Excitingly, my forthcoming blog will delve into the practical implementation of the aforementioned functionalities, all achievable with a single click using the powerful tool that is Terraform. Stay tuned for the upcoming content! Catch you later! āļøš
Top comments (0)