This Lambda Layer provides a safe and efficient way to generate environment variables for your Lambda functions based on values stored in AWS Secrets Manager.
This bash script acts as a wrapper for your Lambda function, performing the following tasks:
- The Lambda service responds to an event and initializes the Lambda context.
- The wrapper script is called as part of the Lambda init phase.
- The wrapper script calls a Golang executable passing in the ARN for the secret to retrieve.
- The Golang executable uses the Secrets Manager API to retrieve the decrypted secret.
- The wrapper script converts the information into environmental variables and calls the next step in processing.
- The script creates a temporary file to store environment variables.
- It executes a Rust binary (
env-vars-from-secrets-manager
) that:- Retrieves the specified secrets from AWS Secrets Manager.
- Processes the secrets according to the prefix and transformation options.
- Writes the environment variables to the temporary file.
- The variables in the temporary file are loaded into the environment.
- The script handles the layer execution chain, ensuring that it executes correctly if there are multiple layers.
- Finally, it executes the Lambda function with the configured environment.
To use this layer in your Lambda function:
- Add this layer to your Lambda function configuration.
- Set the following environment variables in your Lambda function:
AWS_LAMBDA_EXEC_WRAPPER
:/opt/retrieve-secrets
SECRETS_ARN
: ARNs of the secret in AWS Secrets Manager separated by commas without a space.SECRETS_PREFIX
(optional): Optional prefix for generated environment variables.SECRETS_TRANSFORM
(optional): Transformation option for variable names (e.g., "lower" for lowercase, "upper" for uppercase).
The layer will automatically retrieve the specified secrets and set them as environment variables before your function code executes.
Examples:
- Ensure that your Lambda function has the necessary IAM permissions to access the specified secrets in AWS Secrets Manager.
- The script creates a temporary file in /tmp to store secrets briefly. This file is deleted immediately after use, but be aware of this transient storage.
- The layer assumes that secrets in AWS Secrets Manager are stored in JSON format.
- There's a limit to the number of environment variables that can be set in a Lambda function. Be mindful of this when retrieving large numbers of secrets.
If you encounter issues:
- Check the CloudWatch logs for your Lambda function. The script logs errors prefixed with [Secret].
- Ensure the
SECRETS_ARN
,SECRETS_PREFIX
, andSECRETS_TRANSFORM
environment variables are set correctly. - Verify that your Lambda function has the necessary permissions to access AWS Secrets Manager.